[bitwarden-ssh-intro.webp]

I’ve been using Bitwarden as my password manager for a couple of years now as its reliable, open-source, easy to use across multiple devices, and secure.

Now, recently I discovered that Bitwarden added an SSH agent functionality and wanted to try it out. This post walks through setting up and using Bitwarden’s SSH agent on Linux.


Why Use Bitwarden as an SSH Agent?

You might be wondering why use Bitwarden for SSH when traditional SSH key management works fine?

Well, having your SSH keys in the same secure vault as your passwords means everything is encrypted, backed up, and synced across devices automatically.

Second, Bitwarden can prompt you for authorization before allowing an SSH connection, adding an extra layer of security beyond a simple passphrase-protected key file.

Finally, if you already use Bitwarden across multiple machines, this centralizes your key management into a service that you already use, which is pretty good tbh.


How Bitwarden SSH Agent Works

Bitwarden SSH agent consists of 3 main components:

  • Bitwarden Desktop App: Acts as the SSH agent and stores your keys.
  • SSH Agent Socket: Unix domain socket that handles communication between SSH clients and Bitwarden.
  • Remote SSH Servers: Target systems configured for public key authentication.

When you attempt an SSH connection, the SSH client communicates with Bitwarden through the socket. Bitwarden can prompt you for authorization (depending on your settings), and provides the private key to complete the authentication.


Setting Up the Client

Install Bitwarden Desktop

You can install Bitwarden from a Flatpak or build it from source. I went with the Flatpak version:

# Install from Flathub
flatpak install flathub com.bitwarden.desktop

For other installation methods, check the official documentation.


Enable the SSH Agent

Once installed, you need to enable the SSH agent feature:

  1. Open the Bitwarden desktop app
  2. Navigate to File → Settings
  3. Check the Enable SSH-Agent option

[bitwarden-enable-ssh-agent.webp]


Configure the SSH Agent Socket

The SSH client needs to know where to find Bitwarden’s SSH agent socket. First, locate the socket file:

# Find the location of the Bitwarden socket
find / -name "*bitwarden*" -type s 2>/dev/null

# Alternative method using ss
ss -xl | grep bitwarden

For a Flatpak installation, the socket is typically located at:

/home/<username>/.var/app/com.bitwarden.desktop/data/.bitwarden-ssh-agent.sock

Set the SSH_AUTH_SOCK environment variable to point to this socket:

# Syntax
export SSH_AUTH_SOCK=<bitwarden_socket_path>

# For the current user "userx"
export SSH_AUTH_SOCK=/home/userx/.var/app/com.bitwarden.desktop/data/.bitwarden-ssh-agent.sock

# Verify the socket is accessible
echo $SSH_AUTH_SOCK && test -S "$SSH_AUTH_SOCK" && echo "Socket accessible" || echo "Socket unavailable"

To make this persistent across reboots, add the export command to your ~/.bashrc (or even better, to ~/.bashrc.d/):

# Add to ~/.bashrc
echo 'export SSH_AUTH_SOCK=/home/userx/.var/app/com.bitwarden.desktop/data/.bitwarden-ssh-agent.sock' >> ~/.bashrc

# Reload your shell configuration
source ~/.bashrc

Also, you can configure this through systemd if you prefer it that way.


Configuring the Server

Enable Public Key Authentication

Edit /etc/ssh/sshd_config on the remote server to ensure SSH is configured to accept key-based authentication.

# Contents of "/etc/ssh/sshd_config"
# Enable public key authentication
PubkeyAuthentication yes

# Specify where authorized keys are stored
AuthorizedKeysFile .ssh/authorized_keys

# Optionally disable password authentication for better security
PasswordAuthentication no

# Require public key authentication
AuthenticationMethods publickey

Restart the SSH service to apply changes:

sudo systemctl restart sshd.service

Add Your Public Key

Now you need to add your Bitwarden SSH public key to the remote server’s ~/.ssh/authorized_keys file.

First, create your SSH key in Bitwarden (see next section), then copy the public key to the server:

# Create the authorized_keys file if it doesn't exist
mkdir -p ~/.ssh
chmod 700 ~/.ssh
vim ~/.ssh/authorized_keys

# Add your public key (one per line)
# Example:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNYy0VLWLYvL4PVd4y1TmG bitwarden-key

# Set proper permissions
chmod 600 ~/.ssh/authorized_keys

Working with SSH Keys in Bitwarden

Create an SSH Key Pair

Generate your SSH keys directly within the Bitwarden desktop app (official documentation):

  1. Open the Bitwarden desktop app.
  2. Go to My vault → SSH key (in the left menu).
  3. Click Add item (+ icon) → SSH key.
  4. Configure your key settings and generate.

[bitwarden-create-ssh-key.webp]


Verify SSH Keys Are Loaded

With your Bitwarden vault unlocked, you can list all available SSH keys:

# List public keys from Bitwarden SSH-agent
ssh-add -L

# Example output:
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNYy04y1TmG my-server-key

Connect to Remote SSH Servers

Once everything is configured, connecting is straightforward.

  • This works only when connecting to remote machines (servers) that have their ~/.ssh/authorized_keys file with an entry with the SSH public key created in Bitwarden.
  • -A: Enable SSH agent forwarding to the connection. To use the SSH key on further connections.
# Basic SSH connection
ssh [email protected]

# With agent forwarding enabled
ssh -A [email protected]

If you’ve configured Bitwarden to prompt for authorization, you’ll see a notification from the desktop app when an SSH connection attempts to use your keys.


Final Thoughts

After using the Bitwarden SSH agent for a couple of days, I can say it works well, it’s easy to setup, and is user friendly. However, I don’t like the dependency on the desktop application, why can’t I just use the CLI or something less heavy?

I appreciate Bitwarden’s team for the feature and is a good one for sure. I’ll keep an eye on future updates as they provide a great solution and are reliable team :).