Skip to content

view

sh
ssh-vault view -h

aliases v

INFO

Usage: ssh-vault view [OPTIONS] [vault]

Arguments:
  [vault]  file to read the vault from or reads from stdin if not specified

Options:
  -k, --key <key>                Path to the private ssh key to use for decyrpting
  -o, --output <output>          Write output to file instead of stdout
  -p, --passphrase <passphrase>  Passphrase of the private ssh key [env: SSH_VAULT_PASSPHRASE=]
  -h, --help                     Print help

key

When opening a vault, ssh-vault will try to use by default $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 if the option -k is not specified.

--passphase

If the private key is encrypted you will get prompt to enter is passphase, for example:

sh
$ date | ssh-vault create | ssh-vault view
Enter ssh key passphrase:

If you want to automate this, you could use the option -p, --passphase.

1password

Example using 1password:

sh
ssh-vault view -p $(op item get "ssh-vault demo" --fields password) /path/to/file.vault

OpenPGP

You can create a file named vault.gpg with the passphrase of for your ssh private key and encrypt it with your GPG public key, example:

sh
echo -n "your passphase" | gpg --output vault.gpg --encrypt --recipient [email protected]

Then create for example a script named vaultpw.sh to echo out your passphase, for example:

sh
#!/bin/sh

gpg --quiet --batch --decrypt vault.gpg

To open the vault then you can use something like:

sh
ssh-vault view -p $(vaultpw.sh) /path/to/file.vault

TIP

You could use a YubiKey to secure your GPG keys

Released under the BSD License.