Encrypt and decrypt secrets using your SSH agent — no plaintext, no extra key management.
Inspired by node-ssh-agent and ssh-crypt.bash
ssh-agent-secrets lets you encrypt and decrypt secrets using your existing SSH agent.
- No
.envfiles - No plaintext secrets
- No additional key management
A seed is used to generate the secret, it's recommended you don't use the same seed everywhere.
- 🔐 SSH-based
- 🧩 Minimal and portable
- 🔨 Node library included to decrypt secrets on-the-fly in your code
- 📦 Safe to store encrypted secrets in Git
node:streamcompatible- 👥 Works with existing SSH agent workflows like 1Password or Bitwarden
- Can't use ECDSA keys, they always give different signatures
npx ssh-agent-secrets --helpUsage: ssh-crypt [options] <command>
Encrypt/Decrypt a file with your ssh-agent private key
Arguments:
command action (choices: "encrypt", "decrypt")
Options:
-i, --input <path> input path (default to stdin)
--encryptEncoding <encoding> encrypt output encoding (choices: "hex",
"base64")
-o, --output <path> output path (default to stdout)
--decryptEncoding <encoding> decrypt input encoding (choices: "hex",
"base64")
-k, --key <string> select the first matching pubkey in the
ssh-agent
-s, --seed <string> is used to generate the secret
-h, --help display help for command
npm i ssh-agent-secretsimport { SSHAgentClient } from 'ssh-agent-secrets'
const agent = new SSHAgentClient()
const identities = await agent.getIdentities()
console.log(identities)
const identity = await agent.getIdentity('AWS')
const encrypted = await agent.encrypt(
identity,
'not_a_secret_but_a_seed',
Buffer.from('Lorem ipsum dolor', 'utf8'),
'hex',
)
console.log('Encrypted data:', encrypted)
const decrypted = await agent.decrypt(
identity,
'not_a_secret_but_a_seed',
encrypted,
'hex',
)
console.log('Decrypted data:', decrypted.toString('utf8'))