You can secure your SSH keys and configure an authentication agent so that you won't have to reenter your passphrase every time you use your SSH keys.

With SSH keys, if someone gains access to your computer, they also gain access to every system that uses that key. To add an extra layer of security, you can add a passphrase to your SSH key. You can use ssh-agent to securely save your passphrase so you don't have to reenter it.

Adding or changing a passphrase

You can change the passphrase for an existing private key without regenerating the keypair by typing the following command:

ssh-keygen -p
# Start the SSH key creation process
Enter file in which the key is (/Users/you/.ssh/id_rsa): [Hit enter]
Key has comment '/Users/you/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase): [Type new passphrase]
Enter same passphrase again: [One more time for luck]
Your identification has been saved with the new passphrase.

If your key already has a passphrase, you will be prompted to enter it before you can change to a new passphrase.

Auto-launching ssh-agent on Git for Windows

If you're using Git Shell that's installed with GitHub Desktop, you don't need to follow these steps. GitHub Desktop automatically launches ssh-agent for you.

Otherwise, follow these steps to run ssh-agent automatically when you open bash or Git shell. Copy the following lines and paste them into your ~/.profile or ~/.bashrc file in Git shell:

agent_load_env () { test -f "$env" && . "$env" >| /dev/null ; }
agent_start () {
    (umask 077; ssh-agent >| "$env")
    . "$env" >| /dev/null ; }
# agent_run_state: 0=agent running w/ key; 1=agent w/o key; 2= agent not running
agent_run_state=$(ssh-add -l >| /dev/null 2>&1; echo $?)
if [ ! "$SSH_AUTH_SOCK" ] || [ $agent_run_state = 2 ]; then
elif [ "$SSH_AUTH_SOCK" ] && [ $agent_run_state = 1 ]; then
unset env

If your private key is not stored in one of the default locations (~/.ssh/id_rsa or ~/.ssh/id_dsa), you'll need to tell your SSH authentication agent where to find it. To add your key to ssh-agent, type ssh-add ~/path/to/my_key. For more information, see "Generating a new SSH key and adding it to the ssh-agent"

Tip: If you want ssh-agent to forget your key after some time, you can configure it to do so by running ssh-add -t <seconds>.

Now, when you first run Git Bash, you are prompted for your passphrase:

Initializing new SSH agent...
Enter passphrase for /c/Users/you/.ssh/id_rsa:
Identity added: /c/Users/you/.ssh/id_rsa (/c/Users/you/.ssh/id_rsa)
Welcome to Git (version
Run 'git help git' to display the help index.
Run 'git help ' to display help for specific commands.

The ssh-agent process will continue to run until you log out, shut down your computer, or kill the process.

Saving your passphrase in the keychain

On OS X Leopard through OS X El Capitan, these default private key files are handled automatically:

  • .ssh/id_rsa
  • .ssh/id_dsa
  • .ssh/identity

The first time you use your key, you will be prompted to enter your passphrase. If you choose to save the passphrase with your keychain, you won't have to enter it again.

If you have a private key with a different name, or if you're using macOS Sierra and later, you can add your key to the agent and store your passphrase in the keychain by typing ssh-add -K path/to/my_key. Use the default macOS ssh-add command, and not one installed by macports, homebrew, or some other external source.

On Sierra 10.12.2 and later, you may need to modify your ~/.ssh/config file to allow keys to be automatically loaded into ssh-agent and stored in your keychain.

Host *
   AddKeysToAgent yes
   UseKeychain yes
   IdentityFile ~/.ssh/id_rsa