Using a local Vault to automatically unlock password-protected SSH private keys

Hi all,

I have a bunch of SSH private keys I use on a daily basis protected with a password.

Would it be possible to use Vault as a keyring to have it safely manage those private SSH keys, so I don´t have to manually enter each key password at log-in?


This does not sound like a suitable use-case for Vault.

Just change all your SSH key passwords to the same password. ssh-agent is smart enough to use one entered password to unlock multiple keys when they are added in operation, and have the same password.

Huh, this is an interesting approach. I’m a little bit paranoid about using the same pwd for private keys operating on different domains, but nonetheless, I will consider your approach for my use cases.

Thanks for taking the time to help me here, @maxb.

It’s not really that different a security posture to storing all the keys in one Vault instance (assuming the SSH key passphrase is of good complexity).

There are few ways you could look at this. A simple one, if you use the cli, is to wrap the connection with a script that would either pull the key from vault, or even use the Encryption as a service to decrypt the key. A key item would be how YOU authenticate to vault (you are not using the root key right?). The wrapper would authenticate with vault - get a token which would have that policy.

Maybe a simpler way, would also be to use the SSH secrets backend to generate either one time keys, or to do signed ssh keys.

HAve a look at : Managing SSH Access at Scale with HashiCorp Vault | by Moayad Ismail | HashiCorp Solutions Engineering Blog | Medium

And the docs on it.

1 Like