1Password SSH agent
The 1Password SSH agent uses the SSH keys you have saved in 1Password to seamlessly integrate with your Git and SSH workflows. It authenticates your Git and SSH clients without those clients ever being able to read your private key.
In fact, your private key never even leaves the 1Password app. The SSH agent works with the SSH keys stored in 1Password, but never without your consent. Only SSH clients you explicitly authorize will be able to use your SSH keys until 1Password locks.
Learn how to turn on the 1Password SSH agent and configure your SSH clients.
Requirements
- Mac
- Windows
- Linux
You can configure Touch ID or Apple Watch to unlock 1Password and authenticate SSH key requests for the best experience when using the 1Password SSH agent.
- 1Password subscription
- 1Password for Windows
- Microsoft OpenSSH
- Windows Hello must be configured to unlock 1Password
- 1Password subscription
- 1Password for Linux
- System Authentication (Polkit) must be configured to unlock 1Password
The 1Password SSH agent doesn't work with Flatpak or Snap Store installations of 1Password. To use the SSH agent, choose a different method to install 1Password for Linux.
Configuration
By default, the 1Password SSH agent will make every eligible key in the Personal or Private vault of your 1Password accounts available to offer to SSH servers. This configuration is automatically set up when you turn on the SSH agent.
If you need to use the SSH agent with keys saved in shared or custom vaults, you can create and customize an SSH agent config file (~/.config/1Password/ssh/agent.toml
) to override the default agent configuration.
Eligible keys
For the 1Password SSH agent to work with your SSH keys, your 1Password SSH key items must meet the following requirements. They must be:
- Generated or imported using the
SSH Key
item type (which supportsEd25519
orRSA
key types). - Stored in the vaults the SSH agent is configured to use in 1Password. By default, this is the Personal or Private vault of any 1Password account you're signed in to.
- Active items (not archived or deleted).
Any key meeting these requirements will automatically be available in the SSH agent for authentication. You will still be required to explicitly authorize any request an SSH client makes to use your keys.
To see a list of all keys that the agent has available, set the SSH_AUTH_SOCK
environment variable and run: