Press "Enter" to skip to content

Windows 10 OpenSSH – Storing keys using the SSH agent

This article is the second of a series I’ve written about migrating from using PuTTy on Windows to using the native OpenSSH client now available on Windows 10: you can read the rest of the articles via:

  1. Installation
  2. Storing keys using the SSH Agent < You are here
  3. Importing existing keys
  4. Creating a new public/private key pair
  5. Other useful OpenSSH commands
  6. Configuring Windows Git

To manage the OpenSSH keys, you need to add them to the ssh-agent (think of it as PuTTY’s Paegant). These keys will then be added to the user’s “Windows registry” and encrypted to their user profile (so, even if the key has an individual password on it, if somebody logins into your machine as user and has access to the registry, then they can access your private keys – if they log in as somebody else, your keys should be safe). This sounds like a security weakness, but is how MacOS and Linux handles keys anyway!

  1. Continuing in the Administration Powershell, we’re now going to start the SSH-agent which makes key management much easier:
    Start-Service ssh-agent
    If you get an error such as

    Start-Service : Service 'OpenSSH Authentication Agent (ssh-agent)' cannot be started due to the following error:
    Cannot start service ssh-agent on computer '.'.
    At line:1 char:1
    + Start-Service ssh-agent
    + ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

    Then the service is probably disabled: check with: Get-Service ssh-agent | Select StartType
    If it is disabled, you’ll see:


    Enable it with
    Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
    (you might need to then start the service again using
    Start-Service ssh-agent
    Setting the service to “Automatic” means next time Windows starts and you login, your keys are automatically available to you!


Once you have added the keys to the ssh-agent, it is then “safe” to delete the local key files. HOWEVER, you are NOT able to export the private keys from the ssh-agent (only show the public keys): so make a backup copy on a removable device (such as a USB key) which you keep in a very safe location in case something happens to your machine!

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.