Skip to main content

Manage SSH keys

You can use 1Password to manage all your SSH keys. Generate SSH Key items – with public keys, fingerprints, and private keys – right in 1Password. And if you have existing SSH keys, you can import them into 1Password. You can also export your SSH keys from 1Password at any time.

Requirements

Before you can use 1Password to manage your SSH keys, you'll need to:

Generate an SSH key

Generate an SSH key in the 1Password desktop apps or with 1Password CLI to use anywhere you need one.

  1. Open and unlock the 1Password app, then navigate to your Personal or Private vault in the sidebar.
    If you've configured the SSH agent for any shared or custom vaults, you can generate your SSH key in one of those vaults instead.
  2. Select New Item, then choose SSH Key.
  3. Select Add Private Key > Generate a New Key.
  4. Choose a key type, then select Generate.
  5. You can edit the name of your key and make any other changes. When you're done, select Save.
The 1Password save dialog for an SSH Key item with the option to generate an Ed25519 key type selected.The 1Password save dialog for an SSH Key item with the option to generate an Ed25519 key type selected.

Supported SSH key types

1Password supports Ed25519 and RSA key types in PKCS#1, PKCS#8, and OpenSSH formats.

Ed25519

Ed25519 is the fastest and most secure key type available today and is the option recommended by most Git and cloud platforms. Ed25519 is the default suggestion when you generate a new SSH key in 1Password and the key is automatically set to 256 bits.

The Ed25519 key type was first introduced in 2014 with OpenSSH 6.5. If you need to connect to an older server that isn't using OpenSSH 6.5 or later, an Ed25519 key won't work.

RSA

RSA is one of the oldest key types available and is compatible with most servers, including older ones. Compared to Ed25519, RSA is considerably slower – particularly with decryption – and is only considered secure if it's 2048 bits or longer. 1Password supports 2048-bit, 3072-bit, and 4096-bit RSA keys.

Import an SSH key

If you have an SSH key you want to save in 1Password, you can import it.

  1. Open and unlock the 1Password desktop app, then navigate to your Personal or Private vault in the sidebar.
    If you've configured the SSH agent for any shared or custom vaults, you can generate your SSH key in one of those vaults instead.
  2. Select New Item and choose SSH Key.
  3. Select Add Private Key > Import a Key File, then navigate to the location of the SSH key you want and select Import. You can also drag and drop your SSH key file directly into the new SSH item or paste it from your clipboard.
  4. If your SSH key is encrypted with a passphrase, enter the passphrase and select Decrypt. You'll only need to enter the passphrase once. After you import the SSH key into 1Password, it'll be encrypted according to the 1Password security model.
  5. When you're done, select Save.
A new SSH Key item with Import a Key File selected.A new SSH Key item with Import a Key File selected.
Is your passphrase saved in 1Password?

If the passphrase for your SSH key is already saved in 1Password, use Quick Access to find and copy it without needing to switch context.

Use Quick Access to find and copy the passphrase for your SSH key.

Key import errors

If you see one of the error messages below when you import an SSH key in 1Password, check if there's an issue with the type of key, the file format, or the encryption:

If you see a message that your SSH key isn't supported

If you see a message that your SSH key isn't supported, make sure you're importing an Ed25519 or RSA key. Other key types, such as a DSA or ECDSA keys, aren't supported. If you have an RSA key, make sure the key size is 2048, 3072, or 4096 bits. Other key sizes aren't supported.

To check the key type and bit length, run the following command:

RSA keys also require a minimum public exponent of 65,537 to meet NIST standards. RSA keys with a public exponent less than 65,537 aren't supported. To check the size of the public exponent for your key, run the following command:

If you see a message that your SSH key file couldn't be read

If you see a message that your SSH key file couldn't be read, make sure the key file is in a supported format. 1Password supports PKCS#1, PKCS#8, and OpenSSH formats. Keys that use a different file format, such as PuTTYgen .ppk, aren't supported.

If you see a message that your SSH key couldn't be decrypted

If you see a message that your SSH key couldn't be decrypted, it could be that it's encrypted with an unsupported and outdated cipher such as RC4. You can re-encrypt your key file so that it uses a more modern algorithm and then try importing it again. To do this, run the following command:

If you still can't import your SSH key, you can use 1Password to generate a new SSH key using the latest standards.

Export an SSH key

You can export a private SSH key from 1Password at any time.

  1. Open and unlock the 1Password desktop app.

  2. Choose the SSH key you want to export, then select the private key field.

  3. Choose the export format you need: OpenSSH or PKCS#8.

    If you imported a PKCS#1-formatted key into 1Password, you will also have the option to export that key in PKCS#1 format.

  4. Choose how you want to export your private key:

    • To encrypt your exported private key (OpenSSH format only), enter a passphrase, then select Copy Encrypted Key or Download Encrypted Key.
    • To export your private key in plaintext, leave the passphrase field empty (if there is one), then select Copy Unencrypted Key or Download Unencrypted Key.
A GitHub SSH key item with the private key field highlighted to show the Export option.A GitHub SSH key item with the private key field highlighted to show the Export option.The export dialog for a private key with an empty passphrase field and copy and download buttons.The export dialog for a private key with an empty passphrase field and copy and download buttons.
Keep your private keys safe

1Password can't protect SSH keys that you store outside of your account. If you need to export a private key, we recommend you save it in a secure location. Don't store unencrypted private keys on disk.

Share a public key

1Password will automatically generate the public key and fingerprint for each private key you create so you can share it with the services and people who need it.

You can copy or download the public key of an SSH key in the right format every time, and you can use the fingerprint to compare and identify your keys across all your services.

For platforms that let you provide public keys in the browser (often found in an SSH Key settings panel), you can use 1Password in your browser to fill your public key.

You can also copy your public key from the item view in 1Password and share it where needed, or use Quick Access to find your public key even faster without needing to switch context.

Copy or download your public key to share it with others.Copy or download your public key to share it with others.

View SSH keys in 1Password 7

Generating, importing, and sharing SSH keys requires 1Password 8. Any SSH keys that you generate or import can be viewed and copied in the 1Password 7 apps on your other devices. Make sure you're using an updated version of 1Password 7 to view or copy your public or private keys.

Was this page helpful?