Goldwarden can store SSH keys in your Bitwarden and serve them directly via the ssh-agent protocol.
goldwarden_ssh.webm
To get started, you need to configure your SSH_AUTH_SOCK environment variable to use Goldwarden's SSH socket:
Daemon in CLI/No Sandbox on Linux/Mac
SSH_AUTH_SOCK=~/.goldwarden-ssh-agent.sock
Windows
Disable your openssh Windows service as described here:
https://developer.1password.com/docs/ssh/get-started/#step-4-configure-your-ssh-or-git-client
Next, restart your goldwarden daemon. That's it.
Daemon in Flatpak (Linux)
SSH_AUTH_SOCK=~/.var/app/com.quexten.Goldwarden/data/ssh-auth-sock
This should be done in your .bashrc or .zshrc file in order to be available whenever you use your terminal. This also works with other tools using the SSH socket, such as VSCode.
To create an SSH key and store it in your vault, you can run:
goldwarden ssh add --name <name>
You can then list your SSH keys:
goldwarden ssh list
or
ssh-add -L
Internally, this is stored as a Bitwarden secure note with the following custom fields:
custom-type: ssh-key
private-key: <contents of id_ed25519> (hidden field)
public-key: <contents of id_ed25519.pub>
You can use this to import existing keys. Password-protected keyfiles are currently not supported.
Git Signing
goldwarden_git.webm
If you want to sign your git commits using an SSH key from your vault, you need to edit your ~/.gitconfig:
[user]
email = <your email>
name = <your name>
signingKey = <your public key>
[commit]
gpgsign = true
[gpg]
format = ssh
When you do a commit, Goldwarden will prompt you to verify (using system authentication or biometrics) and sign your git commit.