Why Store SSH Keys in a Password Manager
SSH keys are the gold standard for authenticating to remote servers, Git providers, and internal infrastructure. Yet most developers store them as plain files under ~/.ssh/ — unprotected, unsynced, and unaudited. Moving SSH keys into Vaultwarden (or Bitwarden) solves three fundamental problems:
- Centralized management: All keys live in one vault, not scattered across machines.
- Cross-device sync: Add a key once; it appears on every device automatically.
- Audit trail: Every key access and client operation is logged by the server.
The Bitwarden SSH agent bridges the gap between a locked-down vault and the day-to-day need to use SSH keys transparently.
Bitwarden SSH Agent Overview
The Bitwarden SSH agent is a lightweight daemon that exposes your SSH keys stored in the vault through the standard SSH_AUTH_SOCK interface. When ssh or git needs a key, it talks to the agent, which asks the Bitwarden CLI (bw) to fetch the corresponding private key from the vault. The key material never touches disk — it lives in the encrypted vault and is decrypted in memory only when needed.
This approach works with any OpenSSH-compatible client: ssh, scp, rsync, git, mosh, and GUI tools that speak the SSH agent protocol.
Prerequisites
| Requirement | Notes |
|---|---|
| Vaultwarden server (self-hosted) or Bitwarden cloud | API endpoint is needed for CLI login |
Bitwarden CLI (bw) | The official command-line client |
| OpenSSH client | Ships with Linux, macOS, and Windows 10+ |
SSH_AUTH_SOCK support | Available on all major platforms |
Installing the Bitwarden CLI
Linux / macOS
# Download the CLI
curl -Lo bw.zip "https://vault.bitwarden.com/download/?app=cli&platform=linux"
unzip bw.zip
sudo install bw /usr/local/bin/
rm bw.zip bw
Windows (PowerShell)
# Using winget
winget install Bitwarden.CLI
# Or download manually
Invoke-WebRequest -Uri "https://vault.bitwarden.com/download/?app=cli&platform=windows" -OutFile bw.zip
Expand-Archive -Path bw.zip -DestinationPath C:\tools\bw
$env:Path += ";C:\tools\bw"
Verify the installation:
bw --version
Configuring the SSH Agent
The Bitwarden CLI includes a built-in SSH agent server that you start with bw serve:
# Start the agent (runs in foreground — use a terminal multiplexer or daemonize it)
bw serve --port 8080
For a persistent background session, create a dedicated user service or use screen / tmux. On Linux with systemd:
[Unit]
Description=Bitwarden SSH Agent
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/bw serve --port 8080
Restart=on-failure
User=youruser
[Install]
WantedBy=default.target
Environment setup — point SSH_AUTH_SOCK to the agent’s Unix socket:
export SSH_AUTH_SOCK="$HOME/.bitwarden-ssh-agent.sock"
Add this line to your ~/.bashrc, ~/.zshrc, or shell profile so it persists across sessions.
Adding SSH Keys to the Vault
Vaultwarden supports a dedicated SSH Key item type that stores both the private key and its public counterpart as a single vault entry.
- Open your vault (web UI or client).
- Click Add Item → SSH Key.
- Fill in the fields:
- Name: e.g., “GitHub Deploy Key”
- Private Key: paste the full PEM or OpenSSH private key (including
-----BEGIN OPENSSH PRIVATE KEY-----). - Public Key: paste the corresponding
.pubfile content. - Attach a passphrase in the custom fields if the key is passphrase-protected.
- Save the item.
The key is now encrypted at rest in your Vaultwarden vault and available to every device that logs into the same account or organization.
Using Keys for Git Operations
Once the agent is running and your vault is unlocked, git transparently uses the SSH keys stored in Vaultwarden:
# Clone a repository using SSH
git clone [email protected]:username/private-repo.git
Behind the scenes, git calls ssh, which talks to the SSH agent socket, which relays to bw serve, which fetches the key from the vault. No prompts, no file copying, no manual ssh-add.
The same flow works for git fetch, git push, git pull, and any other remote operation over SSH.
Server Access via SSH
Connect to any remote server the same way:
The agent automatically negotiates the correct key. If multiple keys are in the vault, SSH tries each until the server accepts one — configurable via ~/.ssh/config with IdentitiesOnly if needed.
Managing Multiple Keys
Use ~/.ssh/config to pin specific keys to specific hosts:
Host github.com
HostName github.com
IdentityFile ~/.ssh/id_ed25519_vault
Host personal-server
HostName 192.168.1.100
IdentityFile ~/.ssh/id_rsa_internal
These IdentityFile paths are symbolic — the agent resolves them against the keys stored in the vault.
Security Considerations
- Master password + 2FA: Every key access requires an unlocked vault. If the vault is locked,
bw servecan’t decrypt keys. - Keys never touch disk: Private key material is decrypted in memory and served via the agent socket — it is never written to a file.
- Session timeout: Configure
bwsession timeout so the vault locks automatically after inactivity. - Audit logs: Vaultwarden records every login, item access, and sync event. You can review who accessed which key and when.
Revoking Access
When a team member leaves or a device is lost, revoke access by removing the user from the Vaultwarden organization or collection that contains the SSH keys. Because keys are never stored locally (only cached ephemerally by the agent), revocation is instant — the key is simply no longer decryptable by that user.
- Open the Vaultwarden admin panel.
- Navigate to Manage → Users.
- Remove the user from the organization (or adjust collection permissions).
- The user’s
bw servewill fail to fetch the key on the next operation.
Summary
The Bitwarden SSH agent transforms Vaultwarden from a password manager into a full credential hub for SSH-based workflows. Keys stay encrypted in the vault, sync across devices, and are served on-demand through a standard SSH agent interface. Combined with your master password and 2FA, this setup provides better security and convenience than traditional ~/.ssh/ key files.