Vaultwarden SSH Keys and Agent

Recently Bitwarden added experimental support for storing SSH keys and ssh agent. The support is now available in the Vaultwarden which is a self-hosted Bitwarden compatible server. This is my favorite password manager and I have been using it for a while now. I was happy with this as this is the last thing that makes me still use 1password and pay $36 annual fee. So I decided to give it a try.

First because it is an experimental feature, you need to enable it via environment variable in the server configuration. If you are using docker, you can add the following environment variable to the docker-compose.yml file. The environment variable for experimental features is EXPERIMENTAL_CLIENT_FEATURE_FLAGS. There are two features actually, the first is ssh-key-vault-item which allows you to store SSH keys in the vault (it adds ssh key type to the vault item types). The second is ssh-agent which allows you to use the ssh agent to authenticate with the ssh keys stored in the vault.

EXPERIMENTAL_CLIENT_FEATURE_FLAGS = ssh-key-vault-item,ssh-agent

Then you will need to restart the server. which is standard and don’t forget to pull the latest image.

docker compose pull && docker compose down && docker compose up -d

Now this is still not available on all clients. The new features are available on desktop clients. I tried on both Linux and Mac and it works. AI’m not sure if windows client is supported yet but that’s because I don’t use windows.

Now you will need to go to the desktop client and enable ssh client which you can find in app settings. Now we can find a new item type called SSH Key like in the screenshot below.

screenshot of new ssh key type in the vault

It seems to work exactly like the 1password where you can add a new SSH key and it will be stored in the vault. You can also add a passphrase to the key. And you can use the ssh agent to authenticate with the key. It will prompt you for the passphrase if you added one. And you will need both the vaultwarden desktop client and the ssh agent running.

Now I can save the $36 annual fee and use vaultwarden for everything. I’m happy with this feature and I hope that they add the ssh key type to the web client soon. I’m not sure about bitwarden support on their hosted version though but I think it is a matter of time before this is polished and available everywhere.