Sign in Subscribe
4 min read

Secure SSH with 1Password and YubiKey: A Better Developer Experience

Johannes M. Schleicher

Johannes M. Schleicher

on

For our latest project, we had to raise the bar on SSH security. Passwordless logins weren’t enough. We needed hardware-backed keys, portable configuration, and shared access models that fit modern, secure software teams.

This wasn’t just a best-practice move — it was a requirement in the context of NIS and ISO 27001 compliance. Security policies demanded that private keys must not reside on developer machines and that access needs to be fully auditable and revocable.

The challenge: Apple’s built-in OpenSSH doesn’t support FIDO2. And we wanted to use a YubiKey.

That meant installing a modern OpenSSH manually — and rethinking how we manage SSH keys.

We had been using 1Password 7 primarily to share passwords across the team. Some developers also used it to store private keys manually — but there was no integration or automation. With the move to 1Password 8, we unlocked something much more powerful: fully integrated SSH key management, complete with hardware-backed security and vault-based sharing.

Why 1Password 8 and YubiKey Work So Well Together

SSH key management has always been a balance between security and usability. With 1Password 8, you can:

  • Store and share traditional private keys (not hardware-backed) securely
  • Store public SSH keys generated from your YubiKey in 1Password
  • Set strict sharing permissions on a per-key basis
  • Unlock keys via biometrics or your master password
  • Avoid storing private key files locally altogether

This model is ideal for:

  • Developers who want stronger security without extra friction
  • Teams that need a shared, auditable way to manage infrastructure access
  • Anyone tired of manual SSH config or juggling multiple key files
  • Security-conscious environments that require full revocation and policy control

If you're operating in an especially high-security environment, you can take it further by using hardware-backed resident keys — combining the best of YubiKey and 1Password-managed access.

✅ Is it safe to share SSH keys via 1Password?

Yes — 1Password uses end-to-end encryption, per-vault sharing controls, and optional hardware-backed keys. With access logging, biometric unlock, and no local file exposure, this approach is not only safe, but often more secure than traditional methods.
🔐 Note: When using YubiKey-backed keys (ed25519-sk), only the public key can be stored in 1Password — the private key resides securely on the YubiKey and never leaves it. If you're adding other private keys (e.g., for legacy systems), make sure you remember or securely store the key passphrase, as 1Password does not auto-unlock them without it.
🔐 Also important: The 1Password SSH agent is not involved in the YubiKey authentication flow. When using a hardware-backed key (like ed25519-sk), it is OpenSSH that communicates directly with the YubiKey. 1Password is useful for managing the public key and storing traditional software-based keys.

Step 1: Install the Right Tools

Install the latest versions of OpenSSH and YubiKey tooling:

brew install openssh libfido2 ykman
Don’t use macOS’s built-in OpenSSH — it doesn’t support FIDO2.

Install 1Password 8 if you haven’t yet.

To configure your YubiKey (PIN, resident keys), use ykman or the YubiKey Manager:

brew install ykman
Make sure FIDO2 is enabled on your YubiKey. You can verify and configure this using ykman info and ykman fido enable.
macOS may prompt you to treat the YubiKey as a keyboard. Allow usage, but choose “No” when asked to enable keyboard input. This prevents unexpected behavior with FIDO2 operations.

✅ Quick YubiKey Check Script

Want to confirm your YubiKey is ready for SSH usage?

#!/bin/bash

# Check for connected YubiKey
if ! ykman info >/dev/null 2>&1; then
  echo "❌ No YubiKey detected. Please insert your key."
  exit 1
fi

# Check FIDO2 availability
if ! ykman fido info >/dev/null 2>&1; then
  echo "❌ FIDO2 not enabled. Run: ykman fido enable"
  exit 1
fi

# Check ssh-keygen compatibility
echo "✅ YubiKey and FIDO2 appear ready. Testing key generation..."
ssh-keygen -t ed25519-sk -f /tmp/test-ssh-key -C "test" && echo "✅ Keygen successful." || echo "❌ Keygen failed."

Step 2: Enable the 1Password SSH Integration

  1. Open 1Password 8
  2. Go to: Settings → Developer → SSH Agent
  3. Enable "Use the 1Password SSH agent"

Copy the path to the IdentityAgent socket (e.g. /Users/youruser/.1password/agent.sock)

Update your SSH config:

Host *
  IdentityAgent ~/.1password/agent.sock
Alternatively, 1Password can automatically manage your SSH config. You’ll be prompted during setup or when adding new keys. This works reliably and can simplify onboarding.

Step 3: Generate a FIDO2 SSH Key with Your YubiKey

ssh-keygen -t ed25519-sk -f ~/.ssh/id_teamname_sk -C "team-access-key"

You’ll be prompted to:

  • Touch the YubiKey
  • Enter a PIN, if set up previously with the YubiKey Manager or ykman

We recommend using named keys (like id_teamname_sk) for clarity and maintainability.

This creates:

  • ~/.ssh/id_teamname_sk → A reference to your YubiKey
  • ~/.ssh/id_teamname_sk.pub → Your public key

Step 4: Store the Key in 1Password

  1. Create a new item of type SSH Key in 1Password
  2. Paste in the contents of your .pub file
  3. (Optional for YubiKey) Import or attach the corresponding private key if it's a non-YubiKey key
  4. Set access policies and sharing rules as needed
Reminder: You can't store a YubiKey private key — it never leaves the device. But 1Password is a great place to store its public key, and any traditional private keys that need sharing.

Step 5: Add the Key to Your Remote Server

ssh-copy-id -i ~/.ssh/id_teamname_sk.pub [email protected]

Or manually:

cat ~/.ssh/id_teamname_sk.pub >> ~/.ssh/authorized_keys

Then connect:

ssh [email protected]

You’ll be prompted to touch the YubiKey. SSH handles the authentication directly with the device — not via 1Password.

Why This Setup Beats Local SSH Key Management

With this approach, you get:

  • Hardware-backed security without storing private keys on disk
  • Seamless key usage across your apps and terminals
  • Shared access using 1Password vaults — ideal for teams
  • Strict access control for managing sensitive infrastructure
  • Reduced friction compared to manual ssh-agent flows
  • Full auditability and revocation — important for compliance
  • Named keys for clarity in team environments

All while retaining the flexibility of YubiKey authentication.

Coming next

In Part 2, we’ll show you how to build a secure, portable remote development environment using YubiKey + SSHFS + macFUSE — enabling safe, high-compliance coding on remote servers without sacrificing local dev convenience.

Need help with your dev project, AI enablement, or digitalisation?

We’re helping teams build practical, secure, and scalable solutions — without the noise.

Contact us at [email protected]

Subscribe to our newsletter.

Be the first to know - subscribe today

Member discussion