SSH agent

[mpolden]

Describe the feature you'd like

KeePassXC and 1Password support integration with an SSH agent. This makes it possible for ssh to access key pairs stored in the password database. KeePassXC and 1Password implement this feature in different ways. KeePassXC integrates with the standard ssh-agent, while 1Password implements their own agent.

I currently use KeePassXC on Mac specifically for this feature. Otherwise I would use KeePassium. Storing your SSH key pair(s) in a password database is generally more secure than having them in ~/.ssh. It's also easier to share the key pairs across multiple computers as you just need share the password database.

[mhaeuser]

Out of curiosity, why is storing SSH keys in a password database considered more secure? If you use a secure passphrase, re-encrypting as part of the database itself should not change its security properties. At best, this sounds more convenient to exploit the password database's unlock window to not having to manually copy the password.

By the way, if you care about SSH key security (and explicitly not portability), you can use Secure Enclave for storing the key: https://github.com/maxgoedjen/secretive

[jasperweiss]

@mhaeuser It's more convenient. I personally use FIDO2 keys with the key handles stored in KeePassXC which automatically loads them into the agent of whatever device I use at that moment (and unloads them once the database locks).

This means all my keys are available across devices without hassle, but they can only be used using the hardware key. At the same time, the Yubikey is worthless by itself without the key handles stored in the database (I don't use the resident key option).