SSH Agent
The Bitwarden SSH agent securely encrypts and stores your SSH (Secure Shell) keys for use to:
Authenticate to servers
Sign Git commits
Interact with SSH based services
The Bitwarden SSH agent will organize and protect your keys in one secure location. SSH keys can be accessed and generated using the desktop app, web app, browser extension, and mobile app.
note
The macOS store builds do not support the SSH agent at this time, the .dmg download can be used for SSH agent support.
New SSH keys can be created and saved in the Bitwarden desktop app. Bitwarden SSH keys will store:
Field | Description |
|---|---|
Key name | The name for your SSH key. |
Private key | The private key is sensitive data that will be used by the server to facilitate secure connection. Private key data should be treated with care and kept secure. Users may use Bitwarden to generate a secure, unique private key. |
Public key | Portion of the key shared with the server that you will be connecting to. |
Fingerprint | A short unique sting generated from the public key for identification. For example, SSH-signed git commits can be verified using the fingerprint. |
SSH keys stored in the Bitwarden Password Manager will have access to Bitwarden features such as folders, favorites, master password re-prompt, notes, cloning items, attachments, and custom fields.
Create a new SSH key must be done using the Bitwarden desktop app, web app, mobile app, or browser extension. Once created, SSH keys stored in Bitwarden can be accessed from the desktop app, web app, and mobile apps.
Select the New button and choose SSH key as the item type.
Create new SSH key on desktop client note
At this time, Bitwarden can only generate
ED25519type SSH keys.Fill in remaining details such as Name and select the Save icon once complete.
Once an SSH key has be saved in your Bitwarden vault, you may edit the key using the Bitwarden desktop app or mobile client. To edit an SSH key:
To edit SSH keys on the Bitwarden desktop app:
Open the Bitwarden desktop app and navigate to SSH keys.
Locate the SSH key you wish to edit and then select Edit.
Edit desktop SSH item Once you have completed desired changes, select Save.
To edit SSH keys on the Bitwarden web app:
Open the Bitwarden web app and navigate to SSH keys.
Locate and select the SSH key you wish to edit. A dialogue will appear on screen, then select Edit.
Edit SSH item web app Once you have completed the desired changes, select Save.
To edit SSH keys on the Bitwarden mobile app:
Open the Bitwarden mobile app and navigate to SSH keys.
Mobile SSH key vault Locate the SSH key you wish to edit and then select Edit.
Select edit SSH key iOS Once you have completed desired changes, select Save.
To edit SSH keys on the Bitwarden browser extension:
Open the Bitwarden browser extension and navigate to SSH keys.
Locate and select the SSH key you wish to edit. A dialogue will appear on screen, then select Edit.
Edit SSH Browser Once you have completed the desired changes, select Save.
Existing SSH keys can be imported into Bitwarden.
Select SSH key from the navigation menu.
Copy the existing SSH key you wish to import into Bitwarden. Use the Import key from clipboard button. This will automatically paste the SSH key into Bitwarden.
Import SSH key on desktop client note
Imported keys must be in OpenSSH or PKCS#8 format
Additionally, at this time, imported SSH keys from Putty are not compatible.
In order to use Bitwarden as your primary SSH agent, you will be required to configure your SSH client to communicate with Bitwarden for authentication.
To enable the Bitwarden SSH agent on Windows, you must disable the OpenSSH service on your Windows machine. To disable OpenSSH:
On your Windows machine, navigate to Services → OpenSSH Authentication Agent. Services can be located with the Windows search bar.
Windows Services panel Once you have opened the OpenSSH Authentication Agent Properties window, Set the Startup type setting to Disabled.
Disable OpenSSH Windows Once the settings have been adjusted, select Apply and then OK.
note
If OpenSSH Authentication Agent is not an option in the Services list, there is no need to disable the service.
To use the SSH agent with Git, configure the core.sshCommand variable in your Git config to use Microsoft OpenSSH:
Bashgit config --global core.sshCommand "C:/Windows/System32/OpenSSH/ssh.exe"This can also be set using your
gitconfigfile:Bash[core] sshCommand = C:/Windows/System32/OpenSSH/ssh.exe
Enable the Bitwarden SSH agent on macOS:
Export the
SSH_AUTH_SOCKvariable and set it tobitwarden.ssh-agent.sock. In the following example, replace<user>with your username:Bashexport SSH_AUTH_SOCK=/Users/<user>/.bitwarden-ssh-agent.sock
Enable the Bitwarden SSH agent on Linux:
Export the
SSH_AUTH_SOCKvariable and set it tobitwarden.ssh-agent.sock. In the following example, replace<user>with your username:Bashexport SSH_AUTH_SOCK=/Users/<user>/.bitwarden-ssh-agent.sock
To enable the SSH agent on your Bitwarden desktop app, navigate to Settings and Enable SSH agent.
Once the SSH agent has been configured for Bitwarden, we can test the setup by requesting an SSH list:
Bashssh-add -L
This will return a list of SSH keys saved in your Bitwarden desktop client.
note
When accessing an SSH key, the behavior of Bitwarden will differ depending on the lock or unlock status of the client.
Locked vault: If your Bitwarden vault is locked, it must first be unlocked in order to gain access to the SSH key. This can be done by logging into the desktop app or unlocking the vault if it is open in locked state.
Unlocked vault: If the desktop vault is unlocked, you will be prompted to confirm the SSH key usage.
SSH can be used to authenticate with Git. The Bitwarden SSH agent can add security and ease of use to your Git workflows. In this example, the Bitwarden SSH agent will authenticate to GitHub.
On your GitHub account, setup an SSH key by navigating to Settings, SSH and GPG keys, then select New SSH Key.
Create new GitHub SSH key On the add new SSH key screen, add a Name, select a Key type. Choose
Authentication Keyfor authenticating GitHub session. Copy & paste the Public key from your Bitwarden vault into the Key field on GitHub.
Create new GitHub key Once you have completed all of the fields, select Add SSH key to save the key. GitHub will request you verify your GitHub account before the key is saved.
Test the GitHub SSH key in your terminal, for example if you are using macOS:
Bashssh git@github.comIf successful, Bitwarden will prompt you to verify access request. Select Authorize to confirm. If successful, you will receive a message verifying the authentication attempt:
BashHi <USER>! You've successfully authenticated, but GitHub does not provide shell access.
Use the Bitwarden SSH agent to sign SSH Git commits. Before using the Bitwarden SSH agent to sign Git commits, your system requires:
Git version 2.34 or newer. Check your Git version with:
Bashgit --versionOpenSSH version 8.8 or newer. Check version with:
Bashssh -VBitwarden desktop client with SSH agent enabled.
Configure your Git environment to point to your SSH key for signing. To complete this you may set global variables or establish the instructions in your .gitconfig file.
Set global variables
To configure Git settings using --global variables:
Set Git to use SSH for signing:
Bashgit config --global gpg.format sshSpecify the SSH key to use as the singing key. To use the Bitwarden SSH agent, replace
/YOUR/PUBLIC/SSH/KEYwith the public key copied from the SSH key saved in your Bitwarden vault.Bashgit config --global user.signingkey "<YOUR_PUBLIC_KEY>"
Set .gitconfig file
To configure Git using a .gitconfig file:
Access
.gitconfigwith your preferred text editor:Bashnano ~/.gitconfigAdd the following configurations:
Bash[gpg] format = ssh [user] signingkey = "<YOUR_PUBLIC_KEY>" name = <USER_NAME> email = <USER_EMAIL> [commit] gpgsign = true
Using SSH to authenticate with Git can add security and ease of use to your workflow. Similarly, SSH keys stored in Bitwarden can be used to sign and verify Git commits using SSH protocol. In this example, the Bitwarden SSH agent will be used to sign Git commits to GitHub.
On your GitHub account, setup an SSH signing key by navigating to Settings, SSH and GPG keys, then select New SSH Key.
On the add new SSH key screen, add a Name, select a Key type. Choose
Signing Key. Copy & paste the Public key from your Bitwarden vault into the Key field on GitHub.Use the SSH key to clone your repository with SSH method:
SSH clone Bashgit clone git@github.com:<USER>/<repository>.gitCreate the Git commit using terminal or your preferred text editor:
Bashgit commit -m "This commit is signed using SSH"Bitwarden will prompt you to authorize the key usage:
Authorize SSH with client Once authorized, the SSH key will be initiated to approve the commit. You may now push the commit:
Bashgit pushYou may verify your commit on Github by navigating to GitHub commits:
2024-12-04 11-32-12
Once your SSH agent has been configure, see advanced use cases for more SSH client functions.
Suggest changes to this page
How can we improve this page for you?
For technical, billing, and product questions, please contact support