# Integration with Git

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F1xcCA0N2mKvyUVCfkZMY%2FKeeperPAM%20Integration%20with%20Git.jpg?alt=media&#x26;token=aeb5d4d6-8700-46b8-a16b-6d000b06ef5d" alt=""><figcaption></figcaption></figure>

Keeper's SSH Agent integrates seamlessly with Git for authentication and commit signing, ensuring private keys are securely stored in the Keeper Vault instead of being saved locally on the device. This approach enhances security by protecting sensitive keys from local exposure.

In this guide, we'll create and configure separate authentication and signing keys for use with GitHub, all managed securely by Keeper. Using distinct keys for authentication and signing helps maintain a clear separation of roles, further strengthening your security posture.

## Prerequisites

* Ensure that [SSH Agent is active](https://docs.keeper.io/en/keeperpam/privileged-access-manager/ssh-agent/integration-with-git) on the Keeper Desktop
* [Terminal Configuration](https://docs.keeper.io/keeperpam/privileged-access-manager#terminal-configuration) is performed

## Features

* [GitHub Authentication](#github-authentication)
* [Signing Commits](#signing-commits)

## GitHub Authentication

To authenticate with GitHub using Keeper, follow the below steps.

{% stepper %}
{% step %}
**Create a Keeper record**

* Create a record in Keeper such as an **SSH Key** type or **PAM User** type.
* Generate a strong password
  {% endstep %}

{% step %}
**Generate SSH Key**

Generate SSH key on your terminal with the password generated by Keeper. For example:

```
ssh-keygen -t ecdsa -b 521 -C "craig@keeperdemo.io"

Enter passphrase (empty for no passphrase): *********
Enter same passphrase again: *********
```

This will create the public and private keys locally on your machine.

For example:

```
/Users/craig/.ssh/id_ecdsa
/Users/craig/.ssh/id_ecdsa.pub
```

{% endstep %}

{% step %}
**Add Key to Record**

Add the contents from the public and private keys generated in Step 2 into the Keeper record. Copy paste the Public Key and Private Key into the fields of Keeper.

<div align="left"><figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FDxSi7fUUzW1dcShfEcPR%2FScreenshot%202025-01-17%20at%2010.21.30%E2%80%AFPM.png?alt=media&#x26;token=8fbd5131-ff81-4fc7-afad-e1fb1cab4e7b" alt="" width="375"><figcaption><p>Keeper SSH Key for Github Authentication</p></figcaption></figure></div>
{% endstep %}

{% step %}
**Add Key to Github**

* From Github.com, go to **Settings** > **SSH and GPG keys** > **New SSH Key** > and select Key type of "**Authentication Key**".
* Assign a title, and paste the **public key** contents from `id_ecdsa.pub` in Step 2.
* Save the key.
  {% endstep %}

{% step %}
**Add Key to SSH Agent**

From the Keeper Desktop App, open **Settings** > **Developer** > **SSH Agent** > **Edit** and select your "Github Auth key" created in step3 from the list of available keys.

Click "**Update**" to save the settings.

<div align="left"><figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FcFPh7LSRmJSWRYtlco5l%2FScreenshot%202025-01-17%20at%2010.43.06%E2%80%AFPM.png?alt=media&#x26;token=3ccc1155-a3dc-4d47-83f0-18769b92309b" alt="" width="375"><figcaption><p>Select Github Auth Key from Keeper SSH Agent</p></figcaption></figure></div>
{% endstep %}

{% step %}
**Delete the local key**

At this point, it's a good idea to delete the local key, since it is now stored and managed by Keeper. In this case, you can delete both the public and private key.

```
rm /Users/craig/.ssh/id_ecdsa
rm /Users/craig/.ssh/id_ecdsa.pub
```

{% endstep %}

{% step %}
**Authenticating with Github**

From a terminal in some repo, perform an authorized request with Github:

```
git pull
```

{% endstep %}

{% step %}
This immediately will trigger a Keeper dialog to authorize the Github Authentication key.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FgqeSt0Xohap96dtYi0kU%2FScreenshot%202025-01-17%20at%2010.19.07%E2%80%AFPM.png?alt=media&#x26;token=7e6d77f9-c31e-4763-8478-4d19b59116b7" alt=""><figcaption><p>Authorize the use of Github Auth Key in Keeper</p></figcaption></figure>

Clicking "Authorize" will use the key stored in Keeper to authenticate with Github.

Your setup is complete.
{% endstep %}
{% endstepper %}

## Signing Commits

To sign GitHub commits with Keeper, we will create a separate key that is specifically used for the signing process. Follow the steps below.

{% stepper %}
{% step %}
**Create a Keeper record**

* Create a record in Keeper such as an **SSH Key** type or **PAM User** type.
* Generate a strong password
  {% endstep %}

{% step %}
**Generate SSH Key**

Generate SSH key on your terminal with the password generated by Keeper. For example:

```
ssh-keygen -t ecdsa -b 521 -C "craig@keeperdemo.io"

Enter passphrase (empty for no passphrase): *********
Enter same passphrase again: *********
```

This will create the public and private keys locally on your machine.

For example:

```
/Users/craig/.ssh/id_ecdsa
/Users/craig/.ssh/id_ecdsa.pub
```

{% endstep %}

{% step %}
**Add Key to Record**

Add the contents from the public and private keys generated in Step 2 into the Keeper record. Copy paste the Public Key and Private Key into the fields of Keeper.

<div align="left"><figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FKhayBOMuHxXB6hWKuWbA%2FScreenshot%202025-01-17%20at%207.59.02%E2%80%AFPM.png?alt=media&#x26;token=10b23fd6-fea2-41b7-8d7a-9a29f65377d7" alt="" width="375"><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}
**Add Key to Github**

* From Github, go to Settings > SSH and GPG keys > New SSH Key > and select Key type of "Signing Key".
* Assign a title, and paste the public key contents from Step 2.
* Save the key.
  {% endstep %}

{% step %}
**Add Key to SSH Agent**

From Keeper, open **Settings** > **Developer** > **SSH Agent** > **Edit** and select the Github signing key.

Click "Update" to save the settings.
{% endstep %}

{% step %}
**Delete the local private key**

We will only delete the local private key, since it is now stored and managed by Keeper. The public key (xxx.pub) needs to stay, as it will be used for identifying which key to use for signing.

```
rm /Users/craig/.ssh/id_ecdsa
```

Let's also rename the public key to something more specific:

```
cd ~/.ssh
mv id_ecdsa.pub git_signing_key.pub
```

Place the username and the contents of the public key into a file called `~/.ssh/allowed_signers`. For example:

```
craig@keeperdemo.io <contents of git_signing_key.pub>
```

In this example, the file looks like this:

{% code overflow="wrap" %}

```
craig@keeperdemo.io ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAD2VeqOZ9bk2ABF6AZ63qJY2sDfz0kJJPfDW0zpres0/p1YGGJBYtyU4l3nIgwx0K2iEKFty429N2NNfIMBsqI+ngDq3/VGaexmZxymJnCzOl9+J1IQr6u05jZHLsk1FOALjOSm9jv4bF/DyK4oh5shKMlTHAeDWPfqMd3JwncSYBzKfA== craig@keeperdemo.io
```

{% endcode %}
{% endstep %}

{% step %}
**Enable Git Signing**

From the terminal, instruct Github to sign commits using this new key and allowed signers.

```
git config --global user.signingkey ~/.ssh/git_signing_key.pub
git config --global gpg.format ssh
git config --global commit.gpgsign true
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
```

This basically has the effect of adding several lines to `~/.gitconfig` and applies the changes globally. You can also configure individual repos instead of making these changes globally.
{% endstep %}

{% step %}
**Verify Signing**

From a repository, let's do a quick empty commit to test the signing process:

```
git commit --allow-empty -m "Test commit with SSH signing"
```

This immediately will trigger a Keeper dialog to authorize the key.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fcg6peK9rIReHQ2WbEyjV%2FScreenshot%202025-01-17%20at%208.18.39%E2%80%AFPM.png?alt=media&#x26;token=5a54fc48-c0b9-4ae5-a2eb-10380a6c4519" alt=""><figcaption></figcaption></figure>

To verify that the signature was applied to the commit, run the following:

```
git log --show-signature
```

The response will display something like this:

```
commit 52319faf2e7c02a (HEAD -> main)
Good "git" signature for craig@keeperdemo.io with ECDSA key SHA256:xxxxxxx
Author: Craig Lurey <craig@keeperdemo.io>
Date:   Fri Jan 17 20:18:19 2025 -0800

    Test commit with SSH signing
```

Setup is complete.
{% endstep %}
{% endstepper %}