Keeper SSH Agent integration for Git Authentication and Commit Signing
Keeper's SSH Agent integrates seamlessly with Git for authentication and commit signing, ensuring private keys are securely stored in the Keeper Vault instead of being saved locally on the device. This approach enhances security by protecting sensitive keys from local exposure.
In this guide, we'll create and configure separate authentication and signing keys for use with GitHub, all managed securely by Keeper. Using distinct keys for authentication and signing helps maintain a clear separation of roles, further strengthening your security posture.
Ensure that on the Keeper Desktop
is performed
To authenticate with GitHub using Keeper, follow the below steps.
To sign GitHub commits with Keeper, we will create a separate key that is specifically used for the signing process. Follow the steps below.
Generate a strong password
This immediately will trigger a Keeper dialog to authorize the Github Authentication key.
Clicking "Authorize" will use the key stored in Keeper to authenticate with Github.
Your setup is complete.
Generate a strong password
We will only delete the local private key, since it is now stored and managed by Keeper. The public key (xxx.pub) needs to stay, as it will be used for identifying which key to use for signing.
Let's also rename the public key to something more specific:
Place the username and the contents of the public key into a file called ~/.ssh/allowed_signers. For example:
In this example, the file looks like this:
ssh-keygen -t ecdsa -b 521 -C "[email protected]"
Enter passphrase (empty for no passphrase): *********
Enter same passphrase again: *********/Users/craig/.ssh/id_ecdsa
/Users/craig/.ssh/id_ecdsa.pubrm /Users/craig/.ssh/id_ecdsa
rm /Users/craig/.ssh/id_ecdsa.pubgit pullssh-keygen -t ecdsa -b 521 -C "[email protected]"
Enter passphrase (empty for no passphrase): *********
Enter same passphrase again: *********/Users/craig/.ssh/id_ecdsa
/Users/craig/.ssh/id_ecdsa.pubrm /Users/craig/.ssh/id_ecdsacd ~/.ssh
mv id_ecdsa.pub git_signing_key.pub[email protected] <contents of git_signing_key.pub>git config --global user.signingkey ~/.ssh/git_signing_key.pub
git config --global gpg.format ssh
git config --global commit.gpgsign true
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signersgit commit --allow-empty -m "Test commit with SSH signing"git log --show-signaturecommit 52319faf2e7c02a (HEAD -> main)
Good "git" signature for [email protected] with ECDSA key SHA256:xxxxxxx
Author: Craig Lurey <[email protected]>
Date: Fri Jan 17 20:18:19 2025 -0800
Test commit with SSH signing
[email protected] ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAD2VeqOZ9bk2ABF6AZ63qJY2sDfz0kJJPfDW0zpres0/p1YGGJBYtyU4l3nIgwx0K2iEKFty429N2NNfIMBsqI+ngDq3/VGaexmZxymJnCzOl9+J1IQr6u05jZHLsk1FOALjOSm9jv4bF/DyK4oh5shKMlTHAeDWPfqMd3JwncSYBzKfA== [email protected]