linux – How do I use KeePassXC as an SSH agent?


The SSH Agent has a whole dedicated section in KeePassXC docs. It’s probably best to read it whole to get a general idea of how it works. If you don’t want to, here’s a summary.

KeePassXC doesn’t act as a full-blown SSH Agent replacement. Instead, it communicates with an already running SSH agent and adds or removes SSH keys as needed.

Private keys can be stored entirely in a KeePassXC database. Alternatively, you can keep password-protected key files in the filesystem and use KeePassXC to unlock them automatically using a password stored in the DB and insert them into agent.

Keys can be added and removed on demand or automatically when the database is opened/closed. You can also set timeouts for key removal and enable confirmations on per-key basis.

Pretty neat!

Add a new entry. Name is as you wish.

The username will be used as a key name in the agent (ssh-add -l). The password will be used to unlock the key if it’s password protected.

Advanced tab: Add the private key as an attachment if you wish to store it in the database (useful for sharing between systems if your database is already shared somehow).

Auto-Type tab: Uncheck Enable Auto-Type for this entry.

SSH Agent tab: Configure when the key is added and removed to your liking. Choose your private key from attachments or the filesystem.

Browser Integration tab: Check Hide this entry from the browser extension.

I’ve tested this on Pop!_OS 18.04, which is a closely related fork of Ubuntu.

This feature should mostly work out of the box, just enable it in KeePassXC settings.

Use ssh-add -l to check if your keys are loaded (if you’ve chosen to add them manually, you can do this by right-clicking them and selecting Add key to SSH Agent).

SSH Agent does not work if KeePassXC is installed as a snap package. If snap info keepassxc returns something, you must remove the snap version and install a regular one using apt. If you’re on Pop!_OS and apt installs an older version than snap, see this question: KeePassXC is not upgrading to latest version on Pop!_OS.

Answer tested on Windows 10 version 2004.

First of all, you have to be using the OpenSSH Client that comes with Windows 10. It’s a bit different than “bare” OpenSSH when it comes to communication with the agent. Make sure you have OpenSSH Client component installed (it’s optional – may be missing if you’ve removed it explicitly or upgraded from an older version of Windows).

If you have another SSH client installed (for example the one that comes with git), make sure that the Windows one is used on the command line. Typing where ssh-add in the cmd window should return C:WindowsSystem32OpenSSHssh-add.exe as the first entry. If that’s not the case, you have to reorder your PATH entries.

You also have to enable the agent’s service. Open services.msc and find OpenSSH Authentication Agent. Set its Startup type to Automatic, apply and start it.

Unfortunately the version of SSH client that comes with Windows build 2004 is buggy and doesn’t work with RSA keys. You must apply this workaround:

  1. Stop the agent service.
  2. Download the latest release of OpenSSH-Win64.zip from GitHub. Extract it to C:Program FilesOpenSSH-Win64.
  3. Open regedit and go to HKLMSYSTEMCurrentControlSetServicesssh-agent. Change ImagePath to C:Program FilesOpenSSH-Win64ssh-agent.exe
  4. Start the service.

Now enable the SSH Agent in KeePassXC settings and check Use OpenSSH for Windows instead of Pageant.

Use ssh-add -l to check if your keys are loaded (if you’ve chosen to add them manually, you can do this by right-clicking them and selecting Add key to SSH Agent).

Save a corresponding public key in the filesystem and use it in the config. ssh will use the correct key from KeePassXC if it’s added to agent.