Managing SSH keys for multiple home servers creates a security and organization challenge. Storing private keys in your password manager provides encrypted backup, cross-device access, and a central audit point. This guide covers three practical approaches: Bitwarden, 1Password, and KeePassXC, with CLI workflows suitable for developers who prefer command-line efficiency.
Why Store SSH Keys in a Password Manager
SSH keys are password equivalents—they grant access to your servers. Losing them means losing server access. Keeping them scattered across .ssh folders on various machines creates backup gaps and makes rotation painful. A password manager centralizes these critical credentials with encryption, version history, and secure sharing.
The password manager approach solves several problems: encrypted backups happen automatically, you can retrieve keys from any device, and rotation becomes straightforward since you update one location.
Bitwarden: CLI-Based SSH Key Management
Bitwarden offers a capable CLI that integrates well with automation. This approach works best if you already use Bitwarden or prefer open-source solutions.
Installing and Configuring the Bitwarden CLI
First, install the Bitwarden CLI:
# macOS
brew install bitwarden-cli
# Ubuntu/Debian
sudo apt install bitwarden
# From npm
npm install -g @bitwarden/cli
Authenticate with your vault:
bw login your@email.com
# Enter master password when prompted
# Unlock and export session token
export BW_SESSION=$(bw unlock --raw)
Storing SSH Keys Securely
Create a secure note or custom field in Bitwarden to store your private key:
# Read your private key and store it in Bitwarden
PRIVATE_KEY=$(cat ~/.ssh/id_ed25519)
# Create a new item with the SSH key as a custom field
bw create item "SSH Key - Production Server" \
--notes "Private key for production server access" \
--fields "ssh-private-key,${PRIVATE_KEY}"
For existing items, use the edit command:
# Get item ID first
ITEM_ID=$(bw list items --search "SSH Key - Production" | jq -r '.[0].id')
# Update with new key
bw edit item $ITEM_ID --ssh-private-key "$(cat ~/.ssh/id_ed25519)"
Retrieving Keys for SSH Connections
Create a helper script to use Bitwarden-stored keys:
#!/bin/bash
# fetch-ssh-key.sh - Retrieve SSH key from Bitwarden
KEY_NAME="${1:-SSH Key - Production}"
KEY_FILE="${2:-/tmp/ssh_key}"
# Get the SSH key from Bitwarden
bw get item "$KEY_NAME" | jq -r '.fields[] | select(.name == "ssh-private-key") | .value' > "$KEY_FILE"
# Set correct permissions
chmod 600 "$KEY_FILE"
echo "Key saved to $KEY_FILE"
Use it before connecting:
source fetch-ssh-key.sh "SSH Key - Production"
ssh -i /tmp/ssh_key user@production-server
Automating Key Rotation
Create a rotation script that generates a new key and updates Bitwarden:
#!/bin/bash
# rotate-ssh-key.sh - Generate new SSH key and update Bitwarden
KEY_NAME="${1:-SSH Key - Production}"
SERVER_USER="$2"
SERVER_HOST="$3"
# Generate new key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_new -N ""
# Get existing public key for deployment
NEW_PUBLIC_KEY=$(cat ~/.ssh/id_ed25519_new.pub)
# Update Bitwarden with new private key
ITEM_ID=$(bw list items --search "$KEY_NAME" | jq -r '.[0].id')
bw edit item $ITEM_ID --ssh-private-key "$(cat ~/.ssh/id_ed25519_new)"
# Deploy to server (you'll need existing access)
if [ -n "$SERVER_HOST" ]; then
ssh-copy-id -i ~/.ssh/id_ed25519_new.pub "$SERVER_USER@$SERVER_HOST"
fi
# Replace old key
mv ~/.ssh/id_ed25519_new ~/.ssh/id_ed25519
mv ~/.ssh/id_ed25519_new.pub ~/.ssh/id_ed25519.pub
echo "Key rotated and Bitwarden updated"
1Password: SSH Agent Integration
1Password provides deeper SSH integration through its agent, making key retrieval during normal SSH usage.
Setting Up 1Password SSH Agent
Enable the SSH agent in 1Password:
# Install 1Password CLI
brew install --cask 1password-cli
# Initialize the SSH agent
op agent enable
Configure your SSH config to use the 1Password agent:
# ~/.ssh/config
Host *
IdentityAgent "OP_SSH_AGENT"
Adding SSH Keys to 1Password
Store the private key as a secure note or import directly:
# Import SSH key to 1Password
op item create \
--title "SSH Key - Home Lab" \
--category secure-note \
--note "$(cat ~/.ssh/id_ed25519)" \
--tags ssh,home-lab
Or use 1Password’s document storage:
# Upload the private key file
op document create ~/.ssh/id_ed25519 --title "SSH Key - Home Lab Private Key"
Using Keys Automatically
Once configured, SSH connections automatically prompt 1Password for the key:
# This will trigger 1Password authentication
ssh user@home-server
The first time you connect, 1Password asks to associate this key with the server. Future connections authenticate automatically.
KeePassXC: Local Password Manager Approach
KeePassXC works well for completely local, offline key management without cloud dependencies.
Installation and Database Setup
# macOS
brew install keepassxc
# Ubuntu
sudo apt install keepassxc
Create a new database and add an entry:
- Open KeePassXC
- Create new database → Save as
ssh-keys.kdbx - Add new entry with title “SSH Key - Backup Server”
- Paste private key into the notes field
- Set a strong password for the database
Using KeePassXC CLI
The keepassxc-cli provides command-line access:
# List entries in database
keepassxc-cli list ssh-keys.kdbx
# Show entry details (will prompt for database password)
keepassxc-cli show -s ssh-keys.kdbx "SSH Key - Backup Server"
Integrating with SSH
Create a script to extract keys on demand:
#!/bin/bash
# kpxc-ssh-key.sh - Get SSH key from KeePassXC
DB_PATH="$HOME/Documents/ssh-keys.kdbx"
ENTRY_NAME="$1"
KEY_FILE="${2:-/tmp/ssh_key}"
# Extract to temporary file
keepassxc-cli show -s "$DB_PATH" "$ENTRY_NAME" | \
grep -A100 "^Notes:" | \
tail -n +2 > "$KEY_FILE"
chmod 600 "$KEY_FILE"
echo "Key available at $KEY_FILE"
Comparing the Approaches
| Feature | Bitwarden | 1Password | KeePassXC |
|---|---|---|---|
| Cloud sync | Yes | Yes | No (local only) |
| CLI maturity | High | High | Medium |
| SSH agent integration | Via script | Native | Via script |
| Offline access | Requires cache | Limited | Full |
| Open source | Yes | No | Yes |
Bitwarden works best if you want cloud sync and are comfortable with CLI workflows. 1Password offers the smoothest user experience but requires the desktop app running. KeePassXC suits users who need completely offline key storage.
Best Practices for SSH Key Management
Regardless of your password manager choice, follow these practices:
- Use ED25519 keys — They offer better security with shorter key lengths than RSA
- Set key passphrases — Add another layer of protection to private keys
- Rotate keys annually — Regular rotation limits exposure from compromised keys
- Limit key permissions — Never store keys with sudo privileges in your password manager
- Monitor access — Use password manager audit logs to track key retrievals
Storing SSH keys in a password manager transforms scattered key management into a centralized, auditable system. The initial setup takes about 30 minutes, but the operational benefits of automatic backup, easy rotation, and cross-device access are substantial for anyone managing multiple servers.
Related Articles
- Set Up a Secure Home Server for Self-Hosting Privacy Tools.
- How To Prepare Ssh Key And Server Access Documentation For T
- SSH Server Hardening Config Guide
- How To Set Up Beneficiary Access For Cloud Password Manager
- How To Set Up Emergency Access For Password Manager Spouse
Built by theluckystrike — More at zovo.one