view

ssh-vault view -h

aliases v

INFO

Usage: ssh-vault view [OPTIONS] [vault]

Arguments:
  [vault]  file to read the vault from or reads from stdin if not specified

Options:
  -k, --key <key>                Path to the private ssh key to use for decyrpting
  -o, --output <output>          Write output to file instead of stdout
  -p, --passphrase <passphrase>  Passphrase of the private ssh key [env: SSH_VAULT_PASSPHRASE=]
  -h, --help                     Print help

key

When opening a vault, ssh-vault will try to use by default $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 if the option -k is not specified.

--passphase

If the private key is encrypted you will get prompt to enter is passphase, for example:

$ date | ssh-vault create | ssh-vault view
Enter ssh key passphrase:

If you want to automate this, you could use the option -p, --passphase.

1password

Example using 1password:

ssh-vault view -p $(op item get "ssh-vault demo" --fields password) /path/to/file.vault

To get the private key from a ssh key stored in 1password you could use the following template:

ssh-vault view -k <(op read "op//Private/SSH - test/private key?ssh-format=openssh) your-vault.ssh

Encrypt and decrypt from 1password

Example reading the public key and private key from 1password

echo "secret" | ssh-vault create -k <(op read "op://Private/SSH - test/public key") | ssh-vault view -k <(op read "op://Private/SSH - test/private key?ssh-format=openssh")

OpenPGP

You can create a file named vault.gpg with the passphrase of for your ssh private key and encrypt it with your GPG public key, example:

echo -n "your passphase" | gpg --output vault.gpg --encrypt --recipient [email protected]

Then create for example a script named vaultpw.sh to echo out your passphase, for example:

#!/bin/sh

gpg --quiet --batch --decrypt vault.gpg

To open the vault then you can use something like:

ssh-vault view -p $(vaultpw.sh) /path/to/file.vault

TIP

You could use a YubiKey to secure your GPG keys