Using 1Password

Manage SSH keys

You can use 1Password to manage all your SSH keys. Generate SSH Key items – with public keys, fingerprints, and private keys – right in 1Password.

And if you have existing SSH keys, you can import them into 1Password. You can also export your SSH keys from 1Password at any time.

Requirements​

Before you can use 1Password to manage your SSH keys, you'll need to:

• Sign up for 1Password.

• Install 1Password for Mac, Windows, or Linux, then add your accounts to the app.

• (Optional) Install 1Password CLI (2.20.0 or later). Required to create SSH keys using 1Password CLI.

Generate an SSH key​

Generate an SSH key in the 1Password desktop apps or with 1Password CLI to use anywhere you need one.

• Desktop apps

• 1Password CLI

1. Open and unlock the 1Password app, then navigate to your Personal or Private vault in the sidebar. If you've configured the SSH agent for any shared or custom vaults, you can generate your SSH key in one of those vaults instead.

2. Select New Item, then choose SSH Key.

3. Select Add Private Key > Generate a New Key.

4. Choose a key type, then select Generate.

5. You can edit the name of your key and make any other changes. When you're done, select Save.

Supported SSH key types​

1Password supports Ed25519 and RSA key types in PKCS#1, PKCS#8, and OpenSSH formats.

Ed25519​

Ed25519 is the fastest and most secure key type available today and is the option recommended by most Git and cloud platforms. Ed25519 is the default suggestion when you generate a new SSH key in 1Password and the key is automatically set to 256 bits.

The Ed25519 key type was first introduced in 2014 with OpenSSH 6.5. If you need to connect to an older server that isn't using OpenSSH 6.5 or later, an Ed25519 key won't work.

RSA​

RSA is one of the oldest key types available and is compatible with most servers, including older ones. Compared to Ed25519, RSA is considerably slower – particularly with decryption – and is only considered secure if it's 2048 bits or longer. 1Password supports 2048-bit, 3072-bit, and 4096-bit RSA keys.

Import an SSH key​

If you have an SSH key you want to save in 1Password, you can import it.

1. Open and unlock the 1Password desktop app, then navigate to your Personal or Private vault in the sidebar. If you've configured the SSH agent for any shared or custom vaults, you can generate your SSH key in one of those vaults instead.

2. Select New Item and choose SSH Key.

3. Select Add Private Key > Import a Key File, then navigate to the location of the SSH key you want and select Import. You can also drag and drop your SSH key file directly into the new SSH item or paste it from your clipboard.

4. If your SSH key is encrypted with a passphrase, enter the passphrase and select Decrypt. You'll only need to enter the passphrase once. After you import the SSH key into 1Password, it'll be encrypted according to the 1Password security model.

5. When you're done, select Save.

If the passphrase for your SSH key is already saved in 1Password, use Quick Access to find and copy it without needing to switch context.

Key import errors​

If you see one of the error messages below when you import an SSH key in 1Password, check if there's an issue with the type of key, the file format, or the encryption:

If you still can't import your SSH key, you can use 1Password to generate a new SSH key using the latest standards.

Export an SSH key​

You can export a private SSH key from 1Password at any time.

1. Open and unlock the 1Password desktop app.

2. Choose the SSH key you want to export, then select the private key field.

3. Choose the export format you need: OpenSSH or PKCS#8.

   If you imported a PKCS#1-formatted key into 1Password, you will also have the option to export that key in PKCS#1 format.

4. Choose how you want to export your private key:

   • To encrypt your exported private key (OpenSSH format only), enter a passphrase, then select Copy Encrypted Key or Download Encrypted Key.

   • To export your private key in plaintext, leave the passphrase field empty (if there is one), then select Copy Unencrypted Key or Download Unencrypted Key.

1Password can't protect SSH keys that you store outside of your account. If you need to export a private key, we recommend you save it in a secure location. Don't store unencrypted private keys on disk.

Share a public key​

1Password will automatically generate the public key and fingerprint for each private key you create so you can share it with the services and people who need it.

You can copy or download the public key of an SSH key in the right format every time, and you can use the fingerprint to compare and identify your keys across all your services.

For platforms that let you provide public keys in the browser (often found in an SSH Key settings panel), you can use 1Password in your browser to fill your public key.

You can also copy your public key from the item view in 1Password and share it where needed, or use Quick Access to find your public key even faster without needing to switch context.

View SSH keys in 1Password 7​

Generating, importing, and sharing SSH keys requires 1Password 8. Any SSH keys that you generate or import can be viewed and copied in the 1Password 7 apps on your other devices. Make sure you're using an updated version of 1Password 7 to view or copy your public or private keys.