Difference between revisions of "Use the Apple Keychain for ssh key passphrases"
(→Configure ssh to use the Keychain to unlock your keys) |
(→Configure ssh to use the Keychain to unlock your keys) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
=== Add your passphrase to the Keychain === | === Add your passphrase to the Keychain === | ||
| − | Create your | + | Create your keys as usual, then do this ''once'' for every key: |
ssh-add --apple-use-keychain ~/.ssh/id_ed25519 | ssh-add --apple-use-keychain ~/.ssh/id_ed25519 | ||
| Line 21: | Line 21: | ||
UseKeychain yes | UseKeychain yes | ||
| − | <code>IgnoreUnknown</code> is there so this config will work with non-Apple ssh implementations. You do not need to use '''ssh-agent(1)''', or enable any special Apple-specific options for the ssh agent, ignore the Internet misinformation. | + | <code>IgnoreUnknown</code> is there so this config will work with non-Apple ssh implementations. You do not need to use '''ssh-agent(1)''', or enable any special Apple-specific options for the ssh agent, ignore the Internet misinformation. Of course you can do this per-host, or per-key, but then <code>IgnoreUnknown</code> should come early in your configuration, before any use of <code>UseKeychain</code>. |
== References == | == References == | ||
Latest revision as of 12:11, 28 July 2022
Contents
Introduction
On macOS, you can set up such that your encrypted ssh keys get automatically decrypted using the passphrase stored in the Apple Keychain, which is unlocked at login.
How to
Add your passphrase to the Keychain
Create your keys as usual, then do this once for every key:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
You must use the full path your key, a relative path will not work!
Configure ssh to use the Keychain to unlock your keys
Use this ~/.ssh/config:
Host * IgnoreUnknown UseKeychain UseKeychain yes
IgnoreUnknown is there so this config will work with non-Apple ssh implementations. You do not need to use ssh-agent(1), or enable any special Apple-specific options for the ssh agent, ignore the Internet misinformation. Of course you can do this per-host, or per-key, but then IgnoreUnknown should come early in your configuration, before any use of UseKeychain.
