1Password SSH Key Migration Guide¶

Date: 2026-02-16 Status: Ready to execute

Overview¶

Migrate SSH keys from ~/.ssh/ to 1Password for centralized management and Touch ID approval on each use.

Benefits:

🔒 Touch ID approval for every SSH connection
🗂️ Centralized key management
🔐 Keys encrypted in 1Password (not plaintext on disk)
✅ SSH agent already configured in .ssh/config

Current SSH Keys¶

Key File	Purpose	Action
`id_ed25519`	Main SSH key (GitHub, servers)	Import to 1Password
`docker`	Docker-specific operations	Import to 1Password
`gitlab_mirror_key`	GitLab mirroring	Import to 1Password
`gitlab_mirror_key_rsa`	GitLab mirroring (RSA)	Import to 1Password
`google_compute_engine`	GCP compute SSH	Import to 1Password

Step 1: Enable SSH Agent in 1Password¶

Open 1Password app
Go to Settings → Developer
Click Set Up SSH Agent
✅ Enable "Display SSH key names when authorizing"
Click Done

Verify: Socket should exist at ~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock (already exists ✓)

Step 2: Import SSH Keys¶

Import via 1Password App (Recommended)¶

Open 1Password app
Click + New Item
Select SSH Key
Fill in details:
Title: SSH Key - id_ed25519 (or descriptive name)
Private Key: Click "Choose File" → Select ~/.ssh/id_ed25519
Public Key: Auto-filled or select ~/.ssh/id_ed25519.pub
Tags: Add scandora.net, infrastructure
Notes: Document what this key is for
Click Save
Repeat for each key

Keys to import:

~/.ssh/id_ed25519 → Title: "SSH Key - Main (Ed25519)"
~/.ssh/docker → Title: "SSH Key - Docker"
~/.ssh/gitlab_mirror_key → Title: "SSH Key - GitLab Mirror (Ed25519)"
~/.ssh/gitlab_mirror_key_rsa → Title: "SSH Key - GitLab Mirror (RSA)"
~/.ssh/google_compute_engine → Title: "SSH Key - GCP Compute"

Import via CLI (Alternative)¶

# Example for main key
op item create --category="SSH Key" \
  --title="SSH Key - Main (Ed25519)" \
  --vault="Lisa & Joe" \
  private_key[file]=~/.ssh/id_ed25519 \
  public_key[file]=~/.ssh/id_ed25519.pub

# Repeat for other keys

Step 3: Configure Git Commit Signing (Optional)¶

If you want to sign Git commits with SSH:

In 1Password, find your main SSH key item
Click Configure → Use for Git Commit Signing
1Password will update your Git config automatically

Step 4: Test SSH Agent¶

Test 1: List Keys in Agent¶

ssh-add -l

Expected output: Should show your imported keys (fingerprints)

Test 2: GitHub SSH¶

ssh -T git@github.com

Expected behavior:

1Password Touch ID prompt appears
Approve with fingerprint
Output: "Hi scandora! You've successfully authenticated..."

Test 3: Connect to Cloud Instance¶

ssh pluto

Expected behavior:

Touch ID prompt for key approval
Connection succeeds without password

Step 5: Secure Cleanup (After Verification)¶

ONLY after confirming SSH agent works:

# Backup keys first (just in case)
cd ~/.ssh
tar -czf ~/ssh-keys-backup-$(date +%Y%m%d).tar.gz id_ed25519* docker* gitlab_mirror_key* google_compute_engine*

# Verify backup
tar -tzf ~/ssh-keys-backup-*.tar.gz

# Remove private keys from disk (keep .pub files for reference)
rm id_ed25519 docker gitlab_mirror_key gitlab_mirror_key_rsa google_compute_engine

# Optional: Remove .pub files too (1Password has them)
# rm id_ed25519.pub docker.pub gitlab_mirror_key.pub gitlab_mirror_key_rsa.pub google_compute_engine.pub

IMPORTANT: Test thoroughly before deleting keys!

Step 6: Update GitHub to Exclude Key File¶

Edit ~/.ssh/config:

 Host github.com
   AddKeysToAgent yes
   UseKeychain yes
-  IdentityFile ~/.ssh/id_ed25519
+  # IdentityFile managed by 1Password SSH agent

Why: 1Password agent will provide the key automatically.

Troubleshooting¶

"The agent has no identities"¶

Cause: Keys not imported to 1Password yet Fix: Complete Step 2 above

"Permission denied (publickey)"¶

Cause: Key not approved or wrong key used Fix: Check Touch ID prompt, verify key is in 1Password

"Could not open a connection to your authentication agent"¶

Cause: SSH_AUTH_SOCK not set or 1Password agent not running Fix: Check .ssh/config has IdentityAgent line, restart 1Password app

Touch ID prompt doesn't appear¶

Cause: 1Password locked or SSH agent not enabled Fix: Unlock 1Password, verify Settings → Developer → SSH Agent is enabled

Rollback Plan¶

If something breaks:

# Restore keys from backup
cd ~/.ssh
tar -xzf ~/ssh-keys-backup-YYYYMMDD.tar.gz

# Disable 1Password SSH agent
# Edit ~/.ssh/config and comment out IdentityAgent line

References¶

1Password SSH documentation: https://developer.1password.com/docs/ssh/
Project context: CLAUDE.md section on SSH access
SSH config: ~/.ssh/config (line 59)

Status: Ready to execute - follow steps above in order