This document is a WORK IN PROGRESS.
This is just a quick personal cheat sheet: treat its contents with caution!

---

keychain

Keychain helps you to manage SSH and GPG keys in a convenient and secure manner. It acts as a front-end to ssh-agent and ssh-add, but allows you to easily have one long running ssh-agent process per system, rather than the norm of one ssh-agent per login session. This dramatically reduces the number of times you need to enter your passphrase. With keychain, you only need to enter a passphrase once every time your local machine is rebooted.

Reference(s)

• https://www.funtoo.org/Funtoo:Keychain
• https://github.com/funtoo/keychain
• https://wiki.gentoo.org/wiki/Keychain
• https://stackoverflow.com/a/24902046

Alternative(s)

• See the gpg-agent section of the associated GnuPG cheat sheet (see also https://wiki.archlinux.org/title/GnuPG#gpg-agent and https://wiki.gentoo.org/wiki/GnuPG#Using_a_GPG_agent)
• See the ssh-agent section of the associated SSH cheat sheet (see also https://wiki.archlinux.org/title/SSH_keys#SSH_agents and https://wiki.gentoo.org/wiki/SSH#ssh-agent)
• Anything that implements the D-Bus Secret Service API, is a valid alternative.
• ssh-find-agent
• envoy
• seahorse
• GNOME keyring
• lssecret
• secret-tool
• LXQT wallet
• secretsd
• libsecret
• gkeyring
• gnome-keyring-cli

---

Table of contents

• Install
• Config
• Use

---

Install

apkaptdnfemergenixpacmanyumxbpszypper

# apk add keychain

# apt install cronie

# dnf install cronie

# emerge -a net-misc/keychain

on NixOSon non-NixOS

# nix-env -iA nixos.keychain

# nix-env -iA nixpkgs.keychain

# pacman -S keychain

TODO

# xbps-install -S keychain

# zypper install keychain

---

Config

Assuming you have id_rsa id_rsa.pub and id_bis_rsa id_bis_rsa.pub key pairs in your $HOME/.ssh/ directory, you can do the following:

$ mkdir ${XDG_CONFIG_HOME:-${HOME/.config}}/keychain

$ vi $HOME/.bashrc # or ${ZDOTDIR:-${HOME}}/.zshrc or wherever
    > ...
  + >
  + > # keychain
  + > #
  + > # prerequisite:
  + > #   * keychain: https://repology.org/project/keychain/versions
  + > #
  + > # see:
  + > #   * https://www.funtoo.org/Funtoo:Keychain
  + > #
  + > eval `keychain --dir $XDG_CONFIG_HOME/keychain --agents ssh --eval id_rsa id_bis_rsa`

---

Use

• Sometimes, it might be necessary to flush all cached keys in memory (but note that any agent(s) will continue to run):

  $ keychain --clear
  

• List signatures of all active SSH keys, and exit (similar to ssh-add -l):

  $ keychain --list
  

• Kill currently running agent processes.

  • Kill all agent processes and quit keychain immediately:

    $ keychain --stop all
    

  • Kill agent processes other than the one keychain is providing. Prior to keychain-2.5.0, keychain would do this automatically. The new behavior requires that you specify it explicitly if you want it:

    $ keychain --stop others
    

  • Kill keychain's agent processes, leaving other agents alone:

    $ keychain --stop mine
    

---

If this cheat sheet has been useful to you, then please consider leaving a star here.