Skip to main content

1Password SSH agent

The 1Password SSH agent uses the SSH keys you have saved in 1Password to seamlessly integrate with your Git and SSH workflows. It authenticates your Git and SSH clients without those clients ever being able to read your private key.

In fact, your private key never even leaves the 1Password app. The SSH agent works with the SSH keys stored in 1Password, but never without your consent. Only SSH clients you explicitly authorize will be able to use your SSH keys until 1Password locks.

Learn how to turn on the 1Password SSH agent and configure your SSH clients.

Requirements

tip

You can configure Touch ID or Apple Watch to unlock 1Password and authenticate SSH key requests for the best experience when using the 1Password SSH agent.

Configuration

By default, the 1Password SSH agent will make every eligible key in the Personal or Private vault of your 1Password accounts available to offer to SSH servers. This configuration is automatically set up when you turn on the SSH agent.

If you need to use the SSH agent with keys saved in shared or custom vaults, you can create and customize an SSH agent config file (~/.config/1Password/ssh/agent.toml) to override the default agent configuration.

Eligible keys

For the 1Password SSH agent to work with your SSH keys, your 1Password SSH key items must meet the following requirements. They must be:

Any key meeting these requirements will automatically be available in the SSH agent for authentication. You will still be required to explicitly authorize any request an SSH client makes to use your keys.

To see a list of all keys that the agent has available, set the SSH_AUTH_SOCK environment variable and run:

Was this page helpful?