SSH agent–managed SSH keys

You probably already know: there’s no excuse to not be using a password manager in 2026. If you read my blog regularly, you may even be a person actually using a password manager. It’s possible, though, that you don’t use said password manager to manage your SSH keys.

If you didn’t already know you can manage your SSH credentials seamlessly in 1Password. You can do it with KeePassXC, too. I’m not going to mention the other big password managers by name, but at least one of them also already has built-in SSH agent support. Yes, the managers implement an SSH agent (see ssh-agent) and make authenticating via SSH feel kinda like authenticating to Netflix via a web browser.

More than ever, it’s a good idea to not store any credentials (or sensitive data in general) unencrypted on your disks. More than ever because there have been many notable instances of open-source software having recently been compromised via supply-chain attacks and backdoors. Group-IB characterizes supply-chain attacks as being hyped right now, which is funny and horrifying.

Between all the free-ish tools you use everyday and the LLM-related software your boss pays for, your computer is more an open wound, ready to be infected, than ever. You likely know this, I’m only here to remind you.

If, like me, you manage an environment or two where you don’t want to install a password manager, and you simply want to avoid leaving SSH private keys in plaintext, you can use GPG and a simple shell script to keep your credentials safe from prying mal-processes:

#!/usr/bin/env sh
#
# ssh-enc
#
# Usage:
#   ssh-enc <path to GPG-encrypted SSH private key> [SSH arguments]
# Example:
#   $ ssh-enc "$HOME/.ssh/vps.gpg" benjaminwil@example.com -vvv

encrypted_ssh_private_key_path="$1"
shift

ssh_arguments="$@"

eval "$(ssh-agent -s)"
ssh-add <(gpg --decrypt "$encrypted_ssh_private_key_path")

ssh "$ssh_arguments"