LogoLogo
KeeperPAM and Secrets Manager
KeeperPAM and Secrets Manager
  • KeeperPAM
  • Privileged Access Manager
    • Setup Steps
    • Quick Start: Sandbox
    • Getting Started
      • Architecture
        • Architecture Diagram
        • Vault Security
        • Router Security
        • Gateway Security
        • Connection and Tunnel Security
      • KeeperPAM Licensing
      • Enforcement Policies
      • Vault Structure
      • Record Linking
      • Applications
      • Devices
      • Gateways
        • Creating a Gateway
        • Docker Installation
        • Linux Installation
        • Windows Installation
        • Auto Updater
        • Alerts and SIEM Integration
        • Advanced Configuration
          • Gateway Configuration with AWS KMS
          • Gateway Configuration with Custom Fields
      • PAM Configuration
        • AWS Environment Setup
        • Azure Environment Setup
        • Local Environment Setup
      • PAM Resources
        • PAM Machine
          • Example: Linux Machine
          • Example: Azure Windows VM
        • PAM Database
          • Example: MySQL Database
          • Example: PostgreSQL Database
          • Example: Microsoft SQL Server Database
        • PAM Directory
        • PAM Remote Browser
        • PAM User
      • Sharing and Access Control
      • Just-In-Time Access (JIT)
    • Password Rotation
      • Rotation Overview
      • Rotation Use Cases
        • Azure
          • Azure AD Users
          • Azure VM User Accounts
          • Azure Managed Database
            • Azure SQL
            • Azure MySQL - Single or Flexible Database
            • Azure MariaDB Database
            • Azure PostgreSQL - Single or Flexible Database
          • Azure App Secret Rotation
        • AWS
          • IAM User Password
          • Managed Microsoft AD User
          • EC2 Virtual Machine User
          • IAM User Access Key
          • Managed Database
            • AWS RDS for MySQL
            • AWS RDS for SQL Server
            • AWS RDS for PostgreSQL
            • AWS RDS for MariaDB
            • AWS RDS for Oracle
        • Local Network
          • Active Directory or OpenLDAP User
          • Windows User
          • Linux User
          • macOS User
          • Database
            • Native MySQL
            • Native MariaDB
            • Native PostgreSQL
            • Native MongoDB
            • Native MS SQL Server
            • Native Oracle
        • SaaS Accounts
          • Okta User
          • Snowflake User
          • Rotate Credential via REST API
        • Network Devices
          • Cisco IOS XE
          • Cisco Meraki
      • Service Management
      • Post-Rotation Scripts
        • Inputs and Outputs
        • Attaching Scripts
        • Code Examples
    • Connections
      • Getting Started
      • Session Protocols
        • SSH Connections
        • RDP Connections
        • RBI Connections
        • MySQL Connections
        • SQL Server Connections
        • PostgreSQL Connections
        • VNC Connections
        • Telnet Connections
      • Examples
        • SSH Protocol - Linux Machine
        • RDP Protocol - Azure Virtual Machine
        • MySQL Protocol - MySQL Database
        • PostgreSQL Protocol - PostgreSQL Database
    • Tunnels
      • Setting up Tunnels
    • Remote Browser Isolation
      • Setting up RBI
        • URL Patterns & Resource URL Patterns
        • Browser Autofill
    • Session Recording & Playback
    • SSH Agent
      • Integration with Git
    • Discovery
      • Discovery Basics
      • Discovery using Commander
      • Discovery using the Vault
    • On-Prem Connection Manager
    • References
      • Port Mapping
      • Setting up SSH
      • Setting up WinRM
      • Setting up SQL Server
      • Database Import and Export
      • Installing sqlcmd on Linux
      • Installing Docker on Linux
      • Creating KSM App for Rotation
      • Active Directory Least Privilege
      • Event Reporting
      • Importing PAM Records
      • Managing Rotation via CLI
      • Commander SDK
      • Cron Spec
      • Preview Access
  • Endpoint Privilege Manager
    • Overview
    • Setup
    • Deployment
    • Policies
    • Managing Requests
  • FAQs
  • Secrets Manager
    • Secrets Manager Overview
    • Quick Start Guide
    • About KSM
      • Architecture
      • Terminology
      • Security & Encryption Model
      • One Time Access Token
      • Secrets Manager Configuration
      • Keeper Notation
      • Event Reporting
      • Field/Record Types
    • Secrets Manager CLI
      • Profile Command
      • Init Command
      • Secret Command
      • Folder Command
      • Sync Command
      • Exec Command
      • Config Command
      • Version Command
      • Misc Commands
      • Docker Container
      • Custom Record Types
    • Password Rotation
    • Developer SDKs
      • Python SDK
      • Java/Kotlin SDK
        • Record Field Classes
      • JavaScript SDK
      • .NET SDK
      • Go SDK
        • Record Field Classes
      • PowerShell
      • Vault SDKs
    • Integrations
      • Ansible
        • Ansible Plugin
        • Ansible Tower
      • AWS CLI Credential Process
      • AWS Secrets Manager Sync
      • AWS KMS Encryption
      • Azure DevOps Extension
      • Azure Key Vault Sync
      • Azure Key Vault Encryption
      • Bitbucket Plugin
      • Docker Image
      • Docker Runtime
      • Docker Writer Image
      • Entrust HSM Encryption
      • Git - Sign Commits with SSH
      • GitHub Actions
      • GitLab
      • Google Cloud Secret Manager Sync
      • Google Cloud Key Management Encryption
      • Hashicorp Vault
      • Heroku
      • Jenkins Plugin
      • Keeper Connection Manager
      • Kubernetes External Secrets Operator
      • Kubernetes (alternative)
      • Linux Keyring
      • Octopus Deploy
      • Oracle Key Vault Encryption
      • PowerShell Plugin
      • ServiceNow
      • TeamCity
      • Teller
      • Terraform Plugin
        • Terraform Registry
      • Windows Credential Manager
      • XSOAR
    • Troubleshooting
  • Commander CLI
    • Commander Overview
    • Installation and Setup
      • CLI Installation on Windows
      • CLI Installation on macOS
      • CLI Installation on Linux
      • Python Developer Setup
      • .NET Developer Setup
      • PowerShell Module
      • Logging in
      • Configuration and Usage
        • AWS Secrets Manager
        • AWS Key Management Service
      • Automating with Windows Task
      • Automating with AWS Lambda
      • Uninstallation
    • Command Reference
      • Import and Export Data
        • Import/Export Commands
        • CyberArk Import
        • LastPass Data Import
        • Delinea / Thycotic Secret Server Import
        • Keepass Import
        • ManageEngine Import
        • Myki Import
        • Proton Pass Import
        • CSV Import
        • JSON Import
      • Reporting Commands
        • Report Types
      • Enterprise Management Commands
        • Creating and Inviting Users
        • Compliance Commands
        • Breachwatch Commands
        • SCIM Push Configuration
      • Record Commands
        • Record Type Commands
        • Creating Record Types
      • Sharing Commands
      • KeeperPAM Commands
      • Connection Commands
        • SSH
        • SSH Agent
        • RDP
        • Connect Command
        • SFTP Sync
      • Secrets Manager Commands
      • MSP Management Commands
      • Miscellaneous Commands
      • Password Rotation
        • Password Rotation Commands
        • AWS Plugin
        • Azure Plugin
        • Microsoft SQL Server Plugin
        • MySQL Plugin
        • Oracle Plugin
        • PostgreSQL Plugin
        • PSPasswd Plugin
        • SSH Plugin
        • Unix Passwd Plugin
        • Windows Plugin
        • Active Directory Plugin
        • Automatic Execution
    • Service Mode REST API
    • Troubleshooting
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Prerequisites
  • Features
  • GitHub Authentication
  • Signing Commits

Was this helpful?

Export as PDF
  1. Privileged Access Manager
  2. SSH Agent

Integration with Git

Keeper SSH Agent integration for Git Authentication and Commit Signing

PreviousSSH AgentNextDiscovery

Last updated 28 days ago

Was this helpful?

Keeper's SSH Agent integrates seamlessly with Git for authentication and commit signing, ensuring private keys are securely stored in the Keeper Vault instead of being saved locally on the device. This approach enhances security by protecting sensitive keys from local exposure.

In this guide, we'll create and configure separate authentication and signing keys for use with GitHub, all managed securely by Keeper. Using distinct keys for authentication and signing helps maintain a clear separation of roles, further strengthening your security posture.

Prerequisites

Features

GitHub Authentication

To authenticate with GitHub using Keeper, follow the below steps.

1

Create a Keeper record

  • Create a record in Keeper such as an SSH Key type or PAM User type.

  • Generate a strong password

2

Generate SSH Key

Generate SSH key on your terminal with the password generated by Keeper. For example:

ssh-keygen -t ecdsa -b 521 -C "craig@keeperdemo.io"

Enter passphrase (empty for no passphrase): *********
Enter same passphrase again: *********

This will create the public and private keys locally on your machine.

For example:

/Users/craig/.ssh/id_ecdsa
/Users/craig/.ssh/id_ecdsa.pub
3

Add Key to Record

Add the contents from the public and private keys generated in Step 2 into the Keeper record. Copy paste the Public Key and Private Key into the fields of Keeper.

4

Add Key to Github

  • From Github.com, go to Settings > SSH and GPG keys > New SSH Key > and select Key type of "Authentication Key".

  • Assign a title, and paste the public key contents from id_ecdsa.pub in Step 2.

  • Save the key.

5

Add Key to SSH Agent

From the Keeper Desktop App, open Settings > Developer > SSH Agent > Edit and select your "Github Auth key" created in step3 from the list of available keys.

Click "Update" to save the settings.

6

Delete the local key

At this point, it's a good idea to delete the local key, since it is now stored and managed by Keeper. In this case, you can delete both the public and private key.

rm /Users/craig/.ssh/id_ecdsa
rm /Users/craig/.ssh/id_ecdsa.pub
7

Authenticating with Github

From a terminal in some repo, perform an authorized request with Github:

git pull
8

This immediately will trigger a Keeper dialog to authorize the Github Authentication key.

Clicking "Authorize" will use the key stored in Keeper to authenticate with Github.

Your setup is complete.

Signing Commits

To sign GitHub commits with Keeper, we will create a separate key that is specifically used for the signing process. Follow the steps below.

1

Create a Keeper record

  • Create a record in Keeper such as an SSH Key type or PAM User type.

  • Generate a strong password

2

Generate SSH Key

Generate SSH key on your terminal with the password generated by Keeper. For example:

ssh-keygen -t ecdsa -b 521 -C "craig@keeperdemo.io"

Enter passphrase (empty for no passphrase): *********
Enter same passphrase again: *********

This will create the public and private keys locally on your machine.

For example:

/Users/craig/.ssh/id_ecdsa
/Users/craig/.ssh/id_ecdsa.pub
3

Add Key to Record

Add the contents from the public and private keys generated in Step 2 into the Keeper record. Copy paste the Public Key and Private Key into the fields of Keeper.

4

Add Key to Github

  • From Github, go to Settings > SSH and GPG keys > New SSH Key > and select Key type of "Signing Key".

  • Assign a title, and paste the public key contents from Step 2.

  • Save the key.

5

Add Key to SSH Agent

From Keeper, open Settings > Developer > SSH Agent > Edit and select the Github signing key.

Click "Update" to save the settings.

6

Delete the local private key

We will only delete the local private key, since it is now stored and managed by Keeper. The public key (xxx.pub) needs to stay, as it will be used for identifying which key to use for signing.

rm /Users/craig/.ssh/id_ecdsa

Let's also rename the public key to something more specific:

cd ~/.ssh
mv id_ecdsa.pub git_signing_key.pub

Place the username and the contents of the public key into a file called ~/.ssh/allowed_signers. For example:

craig@keeperdemo.io <contents of git_signing_key.pub>

In this example, the file looks like this:

craig@keeperdemo.io ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAD2VeqOZ9bk2ABF6AZ63qJY2sDfz0kJJPfDW0zpres0/p1YGGJBYtyU4l3nIgwx0K2iEKFty429N2NNfIMBsqI+ngDq3/VGaexmZxymJnCzOl9+J1IQr6u05jZHLsk1FOALjOSm9jv4bF/DyK4oh5shKMlTHAeDWPfqMd3JwncSYBzKfA== craig@keeperdemo.io
7

Enable Git Signing

From the terminal, instruct Github to sign commits using this new key and allowed signers.

git config --global user.signingkey ~/.ssh/git_signing_key.pub
git config --global gpg.format ssh
git config --global commit.gpgsign true
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers

This basically has the effect of adding several lines to ~/.gitconfig and applies the changes globally. You can also configure individual repos instead of making these changes globally.

8

Verify Signing

From a repository, let's do a quick empty commit to test the signing process:

git commit --allow-empty -m "Test commit with SSH signing"

This immediately will trigger a Keeper dialog to authorize the key.

To verify that the signature was applied to the commit, run the following:

git log --show-signature

The response will display something like this:

commit 52319faf2e7c02a (HEAD -> main)
Good "git" signature for craig@keeperdemo.io with ECDSA key SHA256:xxxxxxx
Author: Craig Lurey <craig@keeperdemo.io>
Date:   Fri Jan 17 20:18:19 2025 -0800

    Test commit with SSH signing

Setup is complete.

Ensure that on the Keeper Desktop

is performed

SSH Agent is active
GitHub Authentication
Signing Commits
Terminal Configuration
Keeper SSH Key for Github Authentication
Select Github Auth Key from Keeper SSH Agent
Authorize the use of Github Auth Key in Keeper