Manage a directory of GPG encrypted SSH keys
sshkeystore takes private SSH keys, removes passwords if necessary, encrypts them with GPG, and then
puts them as files in a store directory (~/.sshkeystore by default). The store is designed similarly
to the pass utility, and is intended to be synced between computers via git.
When keys are loaded, the decrypted private keys are added the active SSH agent. They are inserted into
the agent over a pipe to avoid storing the descrypted private key on disk. Since there can be many keys
in an agent, the corresponding public keys are generated and stored as files in a well-known directory
(/tmp/sshkeystore-pub_$USER by default). These files can then be passed to SSH as an identity file to
load the matching key. Under normal circumstances SSH expects identity files to be a private key, but if
given a public key it will try and find the corresponding private key in the same directory. In this case,
there are no matching private keys to be found, however, we are able to exploit the fact that SSH checks
the running SSH agent for matching keys before trying to load keys from disk. This allows us to specify the
private key to use without actually having to have the private key on disk.
usage: sshks [-h] [-S STORE] [-P PUBDIR] [-V] {list,load,loadall,insert} ...
Manage a directory of GPG encrypted SSH keys
options:
-h, --help show this help message and exit
-S STORE, --store STORE
location of the encrypted keystore
-P PUBDIR, --pubdir PUBDIR
temporary location to store the corresponding public keys
-V, --version show program's version number and exit
subcommands:
choose an action to perform
{list,load,loadall,insert}
list lists all keys in the keystore (DEFAULT)
load loads a single key into the agent
loadall loads all keys in the keystore into the agent
insert encrypts a SSH private key and inserts it into the keystore