JK
»

SSH Keys with KeepassXC

A password manager, such as KeePassXC, is a secure and efficient tool designed to help users manage and store their various passwords and sensitive credentials in a centralized and encrypted manner. A rather unknown feature of KeePassXC is ability to store SSH (Secure Shell) keys and provide them to an SSH agent. The procedure is described in this article.

The following steps are tested with Windows 11 (22H2) and KeePassXC 2.7.5. However, the most significant points are independent from the operating system.

First, the OpenSSH Authentication Agent service must be enabled. This can be done via PowerShell with administrator privileges:

Get-Service ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent

Next, the SSH agent integration must be activated in KeePassXC. Open the application settings, go to the “SSH Agent” menu and select:

  • “Enable SSH Agent integration”
  • “Use OpenSSH”

Thus, the foundations have been laid. The following steps must then be performed for each key to be stored.

Create a new entry in the KeePassXC database to store the SSH key.

If not already available, generate a new SSH key with the following command (replace SSH_KEY_NAME with an appropriate file name and BRIEF_DESCRIPTION with a text to recognize the key later):

ssh-keygen -t ed25519 -a 420 -f .ssh/SSH_KEY_NAME.ed25519 -C "BRIEF_DESCRIPTION"

Store the password along with some meta data (title, tags, notes, …) in the entry.

Then, go to the “Advanced” menu and add both files (SSH_KEY_NAME.ed25519 and SSH_KEY_NAME.ed25519.pub) to the list of attachments. They don’t need no longer to be stored on the hard disk.

For the last step, go to the “SSH Key” menu and select the private key from the attachments. From now on, the SSH key can be added to the SSH agent over the context menu or the CTRL + h shortcut. Or it can be automatically added and removed if the corresponding options are checked in the menu.

Using SSH keys to log into remote servers offers a better level of security compared to traditional password-based authentication. But this is only true if the SSH key is stored in a secure environment. With KeePassXC, this aspect can easily improved as described in this article.