1Password Developer Watchtower

1Password Developer Watchtower can check for developer credentials stored on your local disk and alert you about credentials that don't follow best security practices, such as credentials stored in plaintext or SSH keys that use outdated cryptography.

To help you remediate any issues and mitigate security risks, Developer Watchtower provides recommendations relevant to each alert, like if you should encrypt a local SSH key or import it into 1Password.

Requirements

Before you can use Developer Watchtower, you'll need to:

Sign up for 1Password.
Install and sign in to 1Password for Mac, Windows, or Linux.
This feature is not available in 1Password for iOS or Android.

Set up 1Password Developer Watchtower

Step 1: Turn on 1Password Developer

Open and unlock the 1Password desktop app.
Select your account or collection at the top of the sidebar and choose Settings > Developer.
Turn on Show 1Password Developer experience.

Learn more about 1Password Developer.

Step 2: Check for developer credentials on disk

Select Developer in the sidebar of the 1Password desktop app.
Select View Developer Watchtower.
Turn on Check for developer credentials on disk.

Then view your results in Developer Watchtower.

1Password only uses your local disk to check for developer credentials, and no one at 1Password can see or access your data. Learn more about data retention and privacy with 1Password Developer and Watchtower.

Step 3: View your results in Developer Watchtower

1Password will list any credentials it finds on disk under one of the following categories, according to the attributes with the highest security impact:

Needs attention: Credentials that are known to be vulnerable and pose some level of security risk.
Recommendations: Credentials that could benefit from additional key management.

Select an item in the list to reveal information about the credential along with recommendations and suggested actions. Select the item's action menu to see options to show the credential in your file manager, copy relevant metadata, delete the SSH key from disk, and more.

info

SSH keys are the only developer credentials currently supported in Developer Watchtower, so your results won't include other credentials you may have stored on your local disk.

SSH keys found on disk

1Password checks your local disk for SSH keys in the following location and formats:

Location	Credential type
`~/.ssh` (up to 3 nested directories)	SSH private keys in OpenSSH, PKCS#8, or PKCS#1 format

1Password doesn't follow symlinks or traverse file systems (for example, an external drive mounted at ~/.ssh/other will be skipped). Files over 1 MiB (mebibyte) in size are also skipped.

If any SSH keys are found within these parameters, they'll be added to Developer Watchtower to alert you to security issues and provide recommendations to improve your SSH key management.

SSH key alerts

Alert message	Description	Recommended Action
Insecure key type	An SSH key in an outdated format that's known to be vulnerable.	Remove the public key from the `authorized_keys` file of any server and service you've used it with. Then generate a new, secure SSH key in 1Password and delete the insecure key file from disk. Learn more.
This key is unencrypted	An SSH key stored in plaintext on disk.	Import the key into 1Password and remove the unencrypted copy from your disk, or use the `ssh-keygen` command to encrypt the file on disk. Learn more.
Already exists in 1Password	An SSH key you've already saved in 1Password.	Delete the redundant copy of your SSH key on disk and keep the key you've already secured in 1Password. Learn more.
Unsupported key	An SSH key that isn't supported in 1Password.	Generate a new SSH key in 1Password if you want to use it with the 1Password SSH Agent. Learn more.

Insecure key type

An insecure SSH key is a critical security issue that needs to be addressed. Insecure keys are vulnerable to being cracked, which can provide attackers with the ability to infiltrate and compromise servers. Insecure keys include:

DSA keys
RSA keys less than 2048 bits in strength

OpenSSH is removing support for these insecure key types, along with major developer platforms like GitHub and GitLab.

If Developer Watchtower alerts you to an insecure SSH key, it's imperative that you remove the SSH key file from your disk and from the authorized_keys file of every server it's used with.

First, remove the insecure key from the authorized_keys file of every server, or from any service, where it's used. Next, generate a new, secure SSH key in 1Password and use the new key to replace the insecure key anywhere it was used. Then, in Developer Watchtower, select the action menu for the insecure key and choose Delete SSH key from disk to permanently remove the key from disk.

Unencrypted key

A private key file stored in plaintext is a security vulnerability and provides an easy target for malware. Encrypting your SSH private keys with passphrases provides another layer of protection and is a common practice supported by SSH clients.

If Developer Watchtower alerts you to an unencrypted key on your local disk, you can choose one of the following options from the action menu:

Import: When you import an SSH key into 1Password, it's automatically encrypted for you. After you import the key into 1Password, you can permanently remove the redundant copy from your disk. Select the action menu for the unencrypted key in Developer Watchtower and choose Delete SSH key from disk.
Copy Encryption Command: If you prefer to keep a copy on disk, you should encrypt the key file with a passphrase. This option copies the ssh-keygen command to your clipboard, including the path to your key. You can run the command in your terminal app:

The -pf flag prompts you to create a passphrase and specify the private key file you want to encrypt.

Already exists in 1Password

1Password compares the public fingerprint of the SSH key on your local disk with the fingerprints of your SSH Key items in 1Password to determine if you've already saved the key there.

If Developer Watchtower indicates that a key in your local ~/.ssh folder has already been saved 1Password, you can remove the redundant copy of the SSH key on disk. Select the item's action menu and choose Delete SSH key from disk to permanently remove the key from disk.

Unsupported keys

An SSH key that isn't supported in 1Password can't be imported. 1Password supports the following key types and formats:

Ed25519 keys
RSA 2048, 3072, and 4096-bit keys

If Developer Watchtower lets you know that a key on your local disk is unsupported, consider generating a new SSH key if you want to use it with the 1Password SSH Agent.

You may also be able to convert some keys to a format 1Password does support. For example, 1Password doesn't support keys in the PuTTY format (.ppk), but PuTTYgen lets you export your PPK keys into the OpenSSH format.

Ignore files

If you want 1Password to ignore specific files in your ~/.ssh folder when checking for developer credentials, you can create a .ignore file in your SSH folder. Add entries to the ~/.ssh/.ignore file to specify any files 1Password should ignore. For example:

Example entries in ~/.ssh/.ignore file

Requirements​

Set up 1Password Developer Watchtower​

Step 1: Turn on 1Password Developer​

Step 2: Check for developer credentials on disk​

Step 3: View your results in Developer Watchtower​

SSH keys found on disk​

SSH key alerts​

Insecure key type​

Unencrypted key​

Already exists in 1Password​

Unsupported keys​

Ignore files​

Was this page helpful?