It all started with a post on Lobste.rs, someone asking how others manage their SSH keys. It was a question that I had already asked myself multiple times, so I was genuinely interested in reading about what others had to say.
There must be a better way than storing them encrypted on your disk and manually inputting the passphrases while loading them to the agent every morning.
When KeePassXC showed up in multiple comments, I had to take a look at it.
I happen to have been tasked in the past to evaluate a set of password managers to decide which one will be adopted by the “company.” I was well aware of the capabilities of some, through their CLI, to automatically store, manage, and use these keys. But KeePassXC wasn’t one of them.
So looking at the documentation, one can learn that it is possible to add all the encrypted keys to a kdbx database together with their passphrase, and KeePassXC will quickly add and remove them to the agent at your request.
You can also
- Configure the amount of time they stay loaded.
- Make it request permission every time the key is used.
- Quickly use the keyboard shortcuts to manage the loaded keys.
It might not be much, but it is a nice quality of life improvement that also allows you to easily back up and move them around securely.
The right solution for a given person will always depend on their situation and the threat model. For critical personnel, it might be hardware keys; for big organizations, definitely temporary, short-lived, single-use key certificates. But for the personal use of common software developers, managing the keys using KeePassXC looks like a decent option.