Windows 10 OpenSSH – Storing keys using the SSH agent

August 24th, 2019 by Richy B. Leave a reply »

This article is the second of a series I’ve written about migrating from using PuTTy on Windows to using the native OpenSSH client now available on Windows 10: you can read the rest of the articles via:

  1. Installation
  2. Storing keys using the SSH Agent < You are here
  3. Importing existing keys
  4. Creating a new public/private key pair
  5. Other useful OpenSSH commands
  6. Configuring Windows Git

To manage the OpenSSH keys, you need to add them to the ssh-agent (think of it as PuTTY’s Paegant). These keys will then be added to the user’s “Windows registry” and encrypted to their user profile (so, even if the key has an individual password on it, if somebody logins into your machine as user and has access to the registry, then they can access your private keys – if they log in as somebody else, your keys should be safe). This sounds like a security weakness, but is how MacOS and Linux handles keys anyway!

  1. Continuing in the Administration Powershell, we’re now going to start the SSH-agent which makes key management much easier:
    Start-Service ssh-agent
    If you get an error such as

    Start-Service : Service 'OpenSSH Authentication Agent (ssh-agent)' cannot be started due to the following error:
    Cannot start service ssh-agent on computer '.'.
    At line:1 char:1
    + Start-Service ssh-agent
    + ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

    Then the service is probably disabled: check with: Get-Service ssh-agent | Select StartType
    If it is disabled, you’ll see:


    Enable it with
    Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
    (you might need to then start the service again using
    Start-Service ssh-agent
    Setting the service to “Automatic” means next time Windows starts and you login, your keys are automatically available to you!


Once you have added the keys to the ssh-agent, it is then “safe” to delete the local key files. HOWEVER, you are NOT able to export the private keys from the ssh-agent (only show the public keys): so make a backup copy on a removable device (such as a USB key) which you keep in a very safe location in case something happens to your machine!

This post is over 6 months old.

This means that, despite my best intentions, it may no longer be accurate.

This blog holds over 12 years of archived content - during that time, I may have changed my opinion of something, technology will have advanced (and old "best standards" may no longer be the case), my technology "know how" has improved etc etc - it would probably take me a considerable amount of time to update all the archival entries: and defeat the point of keeping them anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey and "caveat emptor".

Leave a Reply

%d bloggers like this: