Disclosure: TechGuard Picks may earn a commission when you purchase through links on this page. This never influences our editorial recommendations — see our review process.

How to Store SSH Keys Securely in Keeper Password Manager (2026 Guide)

To store SSH keys securely in Keeper Password Manager, create a new custom record, attach your private key file as an encrypted attachment, store the public key and passphrase in dedicated custom fields, and protect the vault with a hardware MFA key or TOTP. Keeper encrypts all record data with AES-256-GCM and derives your master key using PBKDF2-SHA256, meaning your private key never leaves your device in plaintext.


What You'll Need Before You Start

  • Keeper account — Personal plan ($2.92/user/mo, billed annually) or Business plan ($4.99/user/mo/seat, billed annually, 5-seat minimum). The free tier does not support file attachments; you need at least the Personal plan.
  • Keeper desktop app or browser extension — version 16.x or later (macOS 13+, Windows 10/11, Linux via AppImage or Snap)
  • Keeper mobile app (optional, iOS 16+ or Android 12+) for vault access on the go
  • An existing SSH key pair — generated via ssh-keygen (OpenSSH 8.x or later recommended). If you don't have one yet, Step 1 covers generation.
  • MFA method ready — TOTP app (Authy, Google Authenticator), FIDO2/WebAuthn hardware key (YubiKey 5 series), or Keeper's own push-based DNA (Device Notice Approval)
  • Keeper desktop app downloaded from keepersecurity.com — browser-only vault works, but file attachment upload is more reliable in the desktop app

Step 1 — Generate Your SSH Key Pair (Skip If You Already Have One)

Open a terminal and run:


ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/my_keeper_key

When prompted for a passphrase, use one — 16+ characters. This is the passphrase you will store in Keeper. Ed25519 is preferred over RSA-4096 for new keys in 2026 because it produces shorter keys with equivalent security; however, RSA-4096 remains acceptable if your target server requires it.

Expected output:


Your identification has been saved in /home/user/.ssh/my_keeper_key
Your public key has been saved in /home/user/.ssh/my_keeper_key.pub
The key fingerprint is: SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxx [email protected]

Common gotcha: If you skip the passphrase, Keeper can still store the private key file, but an unencrypted private key is a single point of failure. Always use a passphrase so that even if the vault record is somehow accessed, the raw key file is still protected.


Step 2 — Log In to Keeper and Enable MFA Before Storing Anything

Navigate to app.keepersecurity.com or open the desktop app. Before you store a single sensitive record:

  1. Click your account avatar → SettingsTwo-Factor Authentication
  2. Choose one of: TOTP (scan the QR code with Authy or Google Authenticator), Security Key (FIDO2/WebAuthn — YubiKey, Titan key), or Keeper DNA (push approval to a paired mobile device). SMS is available but not recommended for SSH key storage; use TOTP or hardware minimum.
  3. Confirm the method is active — Keeper will prompt you to verify it on next login.

Why this step comes first: Keeper's zero-knowledge encryption (AES-256-GCM at the record level, PBKDF2-SHA256 for key derivation) means no one at Keeper can read your vault. But account takeover via stolen master password bypasses all of that. MFA is the actual perimeter for SSH keys stored here.


Step 3 — Create a New Custom SSH Key Record

In the Keeper vault:

  1. Click the + (New Record) button in the top-left panel
  2. Select Login as the record type (Keeper Business and Enterprise users can create a fully custom record type via the Admin Console — see the gotcha below)
  3. Name it clearly: e.g., SSH - Production Web Server (ed25519)
  4. In the Password field, paste your SSH key passphrase (not the key itself)
  5. In the Username field, enter the remote username (e.g., ubuntu, deploy)
  6. In the URL/Website field, enter the server address: ssh://192.168.1.100 or ssh://prod.example.com

Common gotcha: Keeper Business ($4.99/user/mo) and Enterprise (starting at $5.99/user/mo — public pricing for the Business+ tier; full Enterprise requires a sales quote) offer custom record types in the Admin Console. If you have that access, create a record type with dedicated fields: Private Key File, Public Key, Passphrase, Key Algorithm, Server Hostname. This is cleaner than shoehorning everything into a Login record.


Step 4 — Add Custom Fields for the Public Key

Still inside the record editor:

  1. Scroll to the bottom of the record form and click + Add Field
  2. Choose Text → label it Public Key
  3. Open your terminal and copy the public key:

cat ~/.ssh/my_keeper_key.pub
  1. Paste the entire output (ssh-ed25519 [email protected]) into the Public Key field
  2. Optionally add another Text field labeled Key Fingerprint and paste the SHA256 fingerprint from Step 1

Why store the public key? When you provision a new server, you need the public key to append to ~/.ssh/authorized_keys. Having it in Keeper alongside the private key means you don't have to reconstruct it from the private key file — and you can share the public key record with a teammate without exposing the private key.


Step 5 — Attach the Private Key File as an Encrypted Attachment

This is the most security-critical step:

  1. Inside the record editor, click the paperclip icon (Attach File) or the Files tab
  2. Click Upload File
  3. Navigate to ~/.ssh/my_keeper_key (the private key — no .pub extension)
  4. Click Open/Upload

Keeper encrypts the file with AES-256-GCM before it leaves your device. The encrypted blob is stored on Keeper's servers; the decryption key exists only in your vault, derived from your master password.

  1. Click Save to commit the entire record

Common gotcha: Do not upload the private key as a note or paste it into a text field. Text fields in most password managers are less strictly type-checked, and some browser extensions may log field contents in debug modes. Use the file attachment specifically — it goes through a separate encrypted-file pipeline in Keeper.

Common gotcha: On Linux, the SSH private key file permissions must be 600. After downloading from Keeper on a new machine:


chmod 600 ~/Downloads/my_keeper_key
mv ~/Downloads/my_keeper_key ~/.ssh/

Step 6 — Organize with Folders and Share Securely (Teams)

  1. In the Keeper vault sidebar, create a folder: +New Folder → name it SSH Keys - Production
  2. Drag your new record into that folder
  3. If you're on Keeper Business, you can share this folder with specific team members via Share Folder — they will receive access to the public key and passphrase but you can set per-user permissions to View Only (prevents editing or re-sharing)

For team sharing, never share a record that contains the private key attachment with anyone who doesn't need it. The public key record and the private key record can be separated into two linked records for this reason.


Verification — Confirm Everything Is Stored Correctly

After saving, re-open the record and verify all five of the following:

  1. Record name is descriptive (server, key type, environment)
  2. Password field contains the passphrase — click the eye icon to reveal and confirm it matches what you set in Step 1
  3. Public Key custom field shows the full ssh-ed25519 AAAA... string
  4. File attachment is listed with the correct filename (my_keeper_key) and a non-zero file size (an ed25519 private key is typically ~400 bytes; RSA-4096 is ~3.3 KB)
  5. MFA is active — log out, log back in, and confirm you are challenged for your second factor

You should see a locked padlock icon next to the attachment and a "1 file" indicator on the record card in list view.


Recommended Tools for SSH Key Security

Keeper Security

Keeper Security is the right tool for this specific task because it combines zero-knowledge encrypted file attachments, custom record types (on Business plans), and granular folder-level sharing — the three things you actually need for SSH key management. It's not the cheapest option, but it's purpose-built for this kind of sensitive credential lifecycle.

Pricing (2026):

  • Personal: $2.92/user/mo, billed annually ($34.99/year)
  • Family: $6.25/mo for 5 users, billed annually
  • Business: $4.99/user/mo, billed annually, 5-seat minimum
  • Business+: $5.99/user/mo, billed annually, includes advanced reporting and compliance

Encryption: AES-256-GCM at the record level; PBKDF2-SHA256 for master password key derivation; RSA-2048 for record-key sharing between users.

MFA methods: TOTP, FIDO2/WebAuthn hardware keys (YubiKey 5, Titan), Keeper DNA (push), biometric (iOS/Android), SSO via SAML 2.0 on Business plans.

Audit: SOC 2 Type II (third-party audited); FedRAMP Authorized (US government cloud); ISO 27001 certified.

Jurisdiction: Headquartered in Chicago, Illinois, USA. US data stored on AWS US regions. GDPR-compliant EU data residency option available on Business plans.

Platforms: Windows 10/11, macOS 13+, Linux (AppImage, Snap), iOS 16+, Android 12+, Chrome, Firefox, Safari, Edge extensions.

Honest negative: Keeper's UI has more steps to create a custom record type than 1Password's item templates. If you're a solo developer and not on a Business plan, you're stuck with the generic Login record type for SSH keys — it works, but it's not as clean.

Try Keeper Security — best file-attachment handling for SSH private keys in a zero-knowledge vault.


1Password (Worth Knowing About)

1Password is worth mentioning because it has a dedicated SSH Key item type built into the vault — you don't have to improvise with custom fields. The SSH Agent integration (on macOS and Linux) lets 1Password act as your SSH agent directly, so you never export the private key to disk at all. That's a meaningful security upgrade for advanced users.

Pricing: Individual: $2.99/user/mo, billed annually. Teams Starter: $19.95/mo flat for up to 10 users, billed annually. Business: $7.99/user/mo, billed annually, no seat minimum.

Encryption: AES-256-GCM; PBKDF2-SHA256 (with a Secret Key added to the derivation — this is 1Password's unique architecture).

MFA methods: TOTP, FIDO2/WebAuthn hardware keys, biometric.

Audit: SOC 2 Type II (third-party audited, 2024); bug bounty program active on HackerOne.

Jurisdiction: Headquartered in Toronto, Ontario, Canada. Subject to PIPEDA and Canadian privacy law.

Platforms: Windows 10/11, macOS 13+, Linux (Debian/RPM/AppImage), iOS 16+, Android 12+, Chrome, Firefox, Safari, Edge, Brave extensions.

Honest negative: 1Password's SSH Agent feature requires the desktop app running in the background and a browser/shell configuration step that's not well-documented for Windows users. It also costs more per seat than Keeper on business plans.

Try 1Password — best choice if you want native SSH Agent integration and never want to touch a private key file directly.

For a broader comparison of both tools in an organizational context, our Best Enterprise Password Manager Review (2026) covers Keeper and 1Password side-by-side with pricing detail.


Troubleshooting

Issue 1: "File upload failed" when attaching the private key

Exact error: Upload failed. Please check your connection and try again.

Fix: This usually means the file size limit was exceeded (Keeper free tier has no file attachment support; Personal plan allows attachments up to 1 GB per file). Confirm you're on a paid plan. If you are, try the desktop app instead of the browser vault — browser extension uploads occasionally fail on large files or when an ad blocker intercepts the upload request.

Issue 2: Private key permissions error after downloading from Keeper

Exact error: Warning: Unprotected private key file! Permissions 0644 for '/home/user/.ssh/my_keeper_key' are too open.

Fix: Run chmod 600 ~/.ssh/my_keeper_key immediately after downloading. Keeper downloads files with default OS permissions; SSH requires 600 (owner read/write only).

Issue 3: MFA prompt not appearing after setup

Exact error: Vault opens without second-factor challenge.

Fix: Go to Settings → Two-Factor Authentication and confirm the method shows a green "Active" badge, not just "Configured." Keeper sometimes requires a full logout/login cycle to activate a newly enrolled TOTP or hardware key. If the badge shows active but no prompt appears, check whether your browser has Keeper listed as a trusted device — revoke trusted devices under Settings → Devices.

Issue 4: Custom record type not available

Exact error: No "Custom Record Type" option visible in the vault.

Fix: Custom record types require a Keeper Business or Business+ plan ($4.99–$5.99/user/mo) and must be created by an Admin in the Admin Console → Record Types. If you're on a Personal plan, use a Login record type with custom fields as described in Steps 3–4. This is a genuine plan-level limitation, not a bug.

Issue 5: Shared record shows attachment as unavailable to teammate

Exact error: Teammate sees File attachment unavailable on shared record.

Fix: Keeper file attachments respect the folder sharing permissions. If you shared the record with View Only permissions and the teammate is on a different Keeper plan tier, confirm their plan supports file attachment downloads. Also check that the share was set to Can Edit if they need to download the file — View Only prevents file downloads by design on Business plans.


FAQ

Is it safe to store SSH private keys in Keeper Password Manager?

Yes, storing SSH private keys in Keeper is safe when done correctly. Keeper uses AES-256-GCM encryption at the record level, meaning your private key file is encrypted before it leaves your device. Keeper's architecture is zero-knowledge — Keeper employees cannot read your vault contents. The critical requirement

Get our free password manager security comparison guide