Protecting SSH Public Key Authentication with Touch ID

How to store you SSH keys in 1Password and use Touch ID to authenticate SSH sessions.

Note: Any and all comments/improvements are welcomed.

A quick introduction

Using SSH public key authentication to connect to a remote system is a robust, more secure alternative to logging in with an account password or passphrase. SSH public key authentication relies on asymmetric cryptographic algorithms that generate a pair of separate keys (a key pair), one “private” and the other “public”. You keep the private key a secret and store it on the computer you use to connect to the remote system.

To copy your public key to the remote server, use the following command:

ssh-copy-id -i ~/.ssh/ user@servername

You can now connect to the server using the following command and a password is not required.

ssh -i ~/.ssh/id_rsa user@servername

For further details, including how to generate a public/private key pair if you do not already have one, please see the following article – How to Set Up SSH Keys on Debian 10.

Protecting your private key

As the private key can be used to access any server that has the public key, it needs to keep it secure. It doesn’t really seem a good idea for it to be lying around on the file system, so I decided to look for a better solution.

1Password SSH Agent

1Password 8 allows you to store your SSH Keys securely along with all your passwords and using the 1Password SSH agent, these SSH keys can be used to seamlessly with your SSH workflows.

The agent authenticates your SSH clients without the client ever being able to read your private key. In fact, your private key never even leaves the 1Password app.

When you attempt to connect to a remote server using SSH and 1Password is locked, you are prompted to unlock it using Touch ID.

Install 1Password8 beta for Mac

At the time of writing, this functionality is only available in the Beta version of 1Password8 (I assume you understand the risks of using beta software!)

Adding an Existing Private Key to 1Password

If you already have SSH key(s) that you use, you can easily add them to 1Password.

Open 1Password, click + New Item in the top right hand corner

Select SSH Key from the list.

Name the Key and Upload your Public key.

Click Save

Using 1Password to Generate an SSH Key

If you do not already have an SSH Key, 1Password can generate one for you really easily:

Open 1Password, click + New Item in the top right hand corner

Select SSH Key from the list.

Name the New Key, then click + Add Private Key / Generate a New Key

Select the Key Type and Bit Length

Click Save

Enable Touch ID

This process is only really effective if you enable Touch ID unlocking of your 1Password vault, otherwise you will need to enter your master password when you open an SSH session.

Open 1Password Preferences / Security and make sure that Touch ID is enabled.

Turn on the 1Password SSH Agent

Click the Developer section and turn on Use the SSH Agent

Configure SSH

The last step is to configure your SSH client to use the agent for authentication.

The path to agent.sock is lengthy, so first we will create a symbolic link to your home directory.

mkdir -p ~/.1password && ln -s ~/Library/Group\ Containers/ ~/.1password/agent.sock

Modify your ~/.ssh/config entries to use the SSH Agent instead of your IdentityFile

  Hostname <IP.ADDRESS>
  User root
  IdentityAgent "~/.1password/agent.sock"

Alternatively, if you wish to use the SSH Agent for ALL your SSH Sessions, add the following lines to the top of ~/.ssh/config

Host *
  IdentityAgent "~/.1password/agent.sock"

Using the 1Password SSH Agent

Now when you open a new SSH session, if 1Password is locked you will be promoted to unlock it using Touch ID.

Job done.


  1. Set up SSH public key authentication to connect to a remote system –
  2. How to Set Up SSH Keys on Debian 10 – How to Set Up SSH Keys on Debian 10.
  3. 1Password for SSH & Git –

Leave a Reply