KeePassXC SSH agent integration

When I first heard that some password managers supported SSH agent integration, I didn’t see much benefit. After all, the SSH key passphrases were already stored there. It was just a matter of running ssh-add to add them. I soon forgot about it and didn’t pursue the matter further.

Earlier today, I read about how SSH keys can be stored in the Mac’s Secure Enclave, tying them to the device and preventing their extraction (at least until an attack is discovered). I don’t like the idea of losing the keys to the kingdom and facing a major hassle when switching laptops, so I looked for alternatives. That’s when I remembered that KeePassXC supports SSH agent integration.

I’ve always liked KeePassXC’s documentation, even before learning how to use its passkey support. That’s when it clicked: the goal isn’t just to avoid storing keys in ~/.ssh/ (which is already a major benefit, given how easily the files can be copied). It’s about the entire key management lifecycle: storing them securely, adding them to the agent when unlocking the secret store, and removing them when locking it, if needed. It’s all there. There’s really no reason to manually run ssh-add anymore.