Secure Your macOS SSH Keys with Keychain Integration (No More Passphrase Prompts)

Problem: Security vs. Convenience

SSH keys should always be protected with a passphrase, but typing the passphrase for every connection (e.g., git push) is tedious, and an unencrypted key in ~/.ssh can be stolen and used immediately.

Solution: macOS Keychain Integration

macOS Keychain stores secrets securely, and recent OpenSSH versions can retrieve SSH passphrases from it, allowing encrypted keys without repeated prompts.

How It Works

Create an SSH key with a strong passphrase.

Tell the SSH client to store the passphrase in the Keychain.

On first use, macOS asks for the passphrase and offers to save it.

Future uses automatically retrieve the passphrase from the Keychain via the SSH agent.

The Keychain unlocks automatically when you log into your Mac and can be protected further with Touch ID or Apple Watch.

Setup Steps

1. Ensure you have a passphrase‑protected SSH key (create one if needed):

ssh-keygen -t ed25519 -C "[email protected]"

2. Add the key to the Keychain: ssh-add --apple-use-keychain ~/.ssh/id_ed25519 3. Edit ~/.ssh/config to enable Keychain usage:

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519

The directives mean: Host *: apply settings to all hosts. AddKeysToAgent yes: automatically add the key to ssh-agent. UseKeychain yes: store and retrieve the passphrase from the Keychain. IdentityFile ~/.ssh/id_ed25519: default key file.

After this configuration, the first ssh user@server will prompt for the passphrase and offer to save it; subsequent connections will use the stored passphrase without prompting.

Secure Workflow in Action

The diagram (not shown) illustrates the behind‑the‑scenes flow when connecting with the configured setup.

Conclusion

By combining a passphrase‑protected SSH key with macOS Keychain integration, developers and sysadmins get strong security without sacrificing convenience, keeping keys encrypted on disk while eliminating repetitive password prompts.