[{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/linux/","section":"Tags","summary":"","title":"Linux","type":"tags"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/proton-pass/","section":"Tags","summary":"","title":"Proton-Pass","type":"tags"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/security/","section":"Tags","summary":"","title":"Security","type":"tags"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/ssh/","section":"Tags","summary":"","title":"Ssh","type":"tags"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/categories/tools/","section":"Categories","summary":"","title":"Tools","type":"categories"},{"content":"Proton Pass is a secure password manager that allows you to store and manage passwords, credentials, and SSH keys. With Proton Pass CLI, you can access your encrypted vaults directly from the command line, enabling a secure and convenient SSH agent workflow on Linux.\nWhat is an SSH Agent? # ssh-agent is a program to hold private keys used for public key authentication. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh.1\nIn practice, this means you can add your SSH private keys to the agent, which then handles authentication for you. This is convenient, but managing SSH keys across multiple systems can become cumbersome.\nYou either end up copying private keys to every machine, risking exposure if one system is compromised, or generating unique keys for each host, which complicates access control and creates management overhead.\nWhy Use Proton Pass as Your SSH Agent? # Proton Pass solves these problems by centralizing your SSH key management. Storing SSH keys in Proton Pass addresses these challenges:\nCentralizing access: Your keys are stored in an encrypted vault, accessible from any device with Proton Pass CLI installed. Maintaining security: Proton Pass uses end-to-end encryption, ensuring only you can decrypt and use your keys. Simplifying workflows: The Proton Pass CLI can act as an SSH agent or load your stored keys into your existing agent, eliminating the need for manual key management. As the Proton Pass CLI documentation states:\nThe Proton Pass CLI integrates nicely with any existing SSH workflows. It can either act as a SSH agent, or load your Pass-stored SSH keys into your already existing SSH agent.2\nPrerequisites # To manage your SSH keys with Proton Pass, you’ll need:\nA Proton Pass account The Proton Pass CLI installed on your system. SSH Key Management # SSH keys can be added to Proton Pass using the pass-cli command-line tool. To get started, you need to log in to Proton Pass first:\npass-cli login This will start a web login process where you can enter your Proton Pass credentials. Once authenticated, you can add existing SSH keys or create new ones.\nCreating a dedicated vault # Depending on your needs, you may want to create a dedicated vault for your SSH keys.\nA vault is an encrypted digital container that holds your items.3\nVaults can be shared with other users or simply serve as an organizational unit. I don’t recommend sharing your SSH keys vault with others. SSH keys should always be kept private and not shared.\nCreating a new vault with pass-cli is easy:\npass-cli vault create --name SSH-Keys Create or import SSH keys # After creating the vault, you can add your SSH keys.\nImporting existing SSH keys # To import existing SSH keys, you can use the following command:\npass-cli item create ssh-key import \\ --from-private-key \u0026#34;~/.ssh/auth_codeberg\u0026#34; \\ --vault-name \u0026#34;SSH-Keys\u0026#34; \\ --title \u0026#34;auth_codeberg.org\u0026#34; \\ --password Generating a new SSH key # Instead of importing you can directly generate a new SSH key with the following command:\npass-cli item create ssh-key generate \\ --vault-name \u0026#34;SSH-Keys\u0026#34; \\ --title \u0026#34;auth_codeberg.org\u0026#34; Using the SSH Agent # Now that your SSH keys are stored in Proton Pass, you can use the SSH agent to integrate them.\nLoad SSH keys into your existing SSH agent # If you’re already using an ssh-agent, you can load your Proton Pass SSH keys into it:\npass-cli ssh-agent load --vault-name \u0026#34;SSH-Keys\u0026#34; Use Proton Pass CLI as your SSH agent # Alternatively, Proton Pass CLI can also act as a SSH agent itself.\npass-cli ssh-agent start --vault-name \u0026#34;SSH-Keys\u0026#34; After it starts, you’ll see output similar to the following, with instructions on how to use the new agent:\nSSH agent started successfully! To use this agent, run: export SSH_AUTH_SOCK=/Users/youruser/.ssh/proton-pass-agent.sock Keys will refresh automatically every 3600 seconds (1 hour). Press Ctrl+C to stop the agent. Running the SSH agent as a background daemon # The Proton Pass SSH agent can also run in the background without keeping a terminal open.\npass-cli ssh-agent daemon start --vault-name \u0026#34;SSH-Keys\u0026#34; Once it’s running, you can check the status with:\npass-cli ssh-agent daemon status Similar to pass-cli ssh-agent start, it will output information about the SSH_AUTH_SOCK environment variable, which you must set in your shell configuration to use the agent.\nStatus: running PID: 12345 Socket: /home/youruser/.ssh/proton-pass-agent.sock To connect to the agent, set SSH_AUTH_SOCK: export SSH_AUTH_SOCK=/home/youruser/.ssh/proton-pass-agent.sock PID file: /home/youruser/.ssh/proton-pass-agent.pid The daemon does not modify your shell environment, so you need to set SSH_AUTH_SOCK yourself in ~/.bashrc or ~/.zshrc.\nSSH Config # Now that your SSH agent is running, you can start using your SSH keys. However, you need to configure the SSH client. Otherwise, you might need to use complicated commands like:\nssh -o \u0026#34;IdentityAgent=${SSH_AUTH_SOCK}\u0026#34; \\ -o \u0026#34;IdentitiesOnly=yes\u0026#34; \\ -i \u0026#34;~/.ssh/auth_codeberg.org.pub\u0026#34; \\ git@codeberg.org To simplify this, add the following to your ~/.ssh/config file4:\n# Proton pass-cli SSH agent integration Host * User %u IdentityAgent \u0026#34;${SSH_AUTH_SOCK}\u0026#34; IdentitiesOnly yes IdentityFile ~/.ssh/auth_%h.pub This will set the following defaults for all SSH connections:\nUser %u\nDynamically sets the remote username to match your current local system username unless explicitly overridden.\nIdentityAgent ${SSH_AUTH_SOCK}\nForces the SSH client to route all authentication requests through the active Proton Pass CLI agent socket defined in your environment variables.\nIdentitiesOnly yes\nRestricts the client to only offer keys explicitly specified by the IdentityFile directive. This prevents the server from rejecting your connection due to \u0026ldquo;too many authentication failures\u0026rdquo; caused by the agent trying unrelated keys.\nIdentityFile ~/.ssh/auth_%h.pub\nPoints to a local copy of your public key. The SSH client reads this public key file, extracts its unique fingerprint, and asks the Proton Pass agent to sign the challenge using the matching private key stored in your secure vault. The %h placeholder will be replaced with the hostname of the remote server. For example: if you run ssh git@codeberg.org, the IdentityFile will render to: ~/.ssh/auth_codeberg.org.pub\nYou might wonder: since we have the SSH key in Proton Pass, how do we get the public keys to ~/.ssh/?\nWe can export it with:\npass-cli item view --vault-name \u0026#34;SSH-Keys\u0026#34; --item-title auth_codeberg --field \u0026#34;public_key\u0026#34; \u0026gt;\u0026#34;~/.ssh/auth_codeberg.pub\u0026#34; With all of this in place, you can now simply use:\nssh git@codeberg.org My Custom Proton Pass SSH Agent Integration # By now, you might be thinking: This involves a lot of configuration steps. Manually starting the SSH agent from the CLI every time and ensuring all public keys are exported to ~/.ssh/ is far from convenient.\nTo reduce friction and make this workflow smoother, I’ve created a script and systemd service to automate everything: https://codeberg.org/tepene/proton-pass-ssh-agent\nOnce set up, you can:\nStart the Proton Pass CLI authentication process Start the Proton Pass SSH Agent Export all SSH public keys from your vault to ~/.ssh/ Installation and usage are documented in the README.\nssh-agent - Linux man page\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nssh-agent - pass-cli documentation\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nproton pass - what is a vault\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nssh_config - Linux man page\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","date":"4 June 2026","externalUrl":null,"permalink":"/2026/06/using-proton-pass-as-your-ssh-agent-a-secure-workflow/","section":"Posts","summary":"Proton Pass is a secure password manager that allows you to store and manage passwords, credentials, and SSH keys. With Proton Pass CLI, you can access your encrypted vaults directly from the command line, enabling a secure and convenient SSH agent workflow on Linux.\n","title":"Using Proton Pass as Your SSH Agent: A Secure Workflow","type":"posts"},{"content":"","externalUrl":null,"permalink":"/","section":"","summary":"","title":"","type":"page"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]