iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🥭

Using Bitwarden SSH Agent for Git Commit Signing and Remote Authentication

に公開
テーマ「この春、始めたこと
Git
GitHub
SSH
GitLab
Bitwarden
tech

Prerequisites

What is Bitwarden?

Bitwarden is an open-source password manager. You can use it for free by taking advantage of the freemium plan provided by Bitwarden. While there are plans for organizations, I am assuming individual use here.
https://bitwarden.com/

Aside: Why Bitwarden?

When I switched from macOS to Linux, I needed to migrate my password manager from iCloud Keychain. I was attracted to Bitwarden because it is free, works on both iOS and Linux, and is open-source. I am satisfied with the service. However, a supply chain attack on the Bitwarden CLI occurred in April 2026. Since you are handling sensitive information, I recommend that you carefully compare options when considering a migration. That said, I intend to continue using Bitwarden.

What is the Bitwarden SSH Agent?

Bitwarden has provided a way to manage SSH keys within the software since January 2025.

https://bitwarden.com/help/ssh-agent/
By using this feature, secret keys are not saved directly to the ~/.ssh directory as they typically are when created with ssh-keygen. Instead, SSH keys can be used only while Bitwarden is running.

This means that even if your device is stolen or hacked, your secret keys should be safe as long as Bitwarden is locked. At the very least, they won't be able to copy ~/.ssh.
If you are looking for more rigorous security, perhaps you should use an external security key like a YubiKey where the secret key cannot be exported. That certainly piques my interest.

What is SSH in Git?

Git, the version control tool, provides signing commits with SSH (or GPG) by default. Also, Git hosting services like GitLab and GitHub provide SSH connections for accessing repositories.

In this article, we will manage these two types of keys with Bitwarden:

  1. SSH key for commit signing: Proves that the commit was made by you.
  2. SSH key for SSH connections: Authentication when connecting to GitLab/GitHub.

Let's Get Started! 🫏

Creating SSH Keys in Bitwarden

The official help page explains the details. Please refer to it as well.

First, open Bitwarden. I use the Flathub version on Fedora, and I'm sure there is a Bitwarden client compatible with your OS.
Bitwarden Start Screen
Next, click the + button, select "SSH Key", name it, and save it...
Bitwarden SSH Key Generation
Done!

I created three separate keys because I want to manage Git signing, GitHub connection, and GitLab connection individually.

Setting the PATH

In this state, if you try to check your keys in the shell with ssh-add -L, you will get an error: Error connecting to agent: Connection refused.
To have the shell recognize the keys, nano ~/.bashrc (or nano ~/.zshrc) and add:

~/.bashrc
# For the Flatpak version
export SSH_AUTH_SOCK=/home/<your-username>/.var/app/com.bitwarden.desktop/data/.bitwarden-ssh-agent.sock

The PATH differs depending on the OS/app version. Please refer to the relevant section of the official help.

Now, if you run ssh-add -L, you should see the keys you created in Bitwarden.

Setting Up Git Commit Signing

To use an SSH key for signing Git commits, first, inform Git that the signing format is SSH.

git config --global gpg.format ssh

Copy your public SSH key from Bitwarden in advance, and inform Git of the public key using:

git config --global user.signingkey "<your-signing-ssh-public-key-starting-with-ssh-ed25519>"

Optionally, to automatically enable signing for Git commits, run:

git config --global commit.gpgsign true

Furthermore, to make local Git trust this key, create a file:

# Create a list of trusted keys
touch ~/.ssh/allowed_signers

Open it with nano ~/.ssh/allowed_signers and add:

# Example: email@example.com ssh-ed25519 XXXXXXXX
<your-email-used-for-git-commits> "<your-signing-ssh-public-key-starting-with-ssh-ed25519>"

Finally, inform Git of the trusted key list by running:

git config --global gpg.ssh.allowedSignersFile "$HOME/.ssh/allowed_signers"

With this, your local Git will recognize your key as trusted.

Registering Public Keys to GitLab and GitHub

At this point, GitLab/GitHub have no way of knowing your SSH keys. Let's register them.
While logged into each site:

  • GitLab: User Settings > Access > SSH Keys
  • GitHub: Setting > SSH and GPG Keys > New SSH Key
    Register your keys.
    When adding a key to GitHub, you need to select whether the key is for authentication (ssh git@github.com) or for Git signing. I created and added two different keys for each purpose.

SSH Keys on GitLab
SSH keys registered on GitLab
SSH Keys on GitHub
SSH keys registered on GitHub

Now, you can use these SSH Keys when running git clone and similar commands.

Try connecting to test it out:

# GitLab.com
ssh -T git@gitlab.com
# Welcome to GitLab, @<your-username>!

# GitHub
ssh -T git@github.com
# Hi <your-name>! You've successfully authenticated, but GitHub does not provide shell access.

You should receive a friendly response like the above. Success!

Closing👋

Now, the preparation for SSH connections and commit signing using Bitwarden is complete. If you have configured Git to sign commits by default, all future commits created on your machine will be signed automatically.

When you push signed commits to GitLab/GitHub, a "verified" mark will be displayed, as shown in the images, indicating that the commit signature is verified.
Verified Commits on GitLab
Verified mark displayed on GitLab

Verified Commits on GitHub
Verified mark displayed on GitHub

I hope you all enjoy a comfortable "key" life.

Bonus🍽️

Since just text can be a bit lonely, I will add a photo of a brunch from one day.
Brunch on one day
My life in America is coming to an end soon. I feel a bit sad.
See you again.

Saito Kigoshi (2026/05/13; Provided with CC-BY 4.0)

GitHubで編集を提案

Discussion