This article is the second of a series I’ve written about migrating from using PuTTy on Windows to using the native OpenSSH client now available on Windows 10: you can read the rest of the articles via:
- Installation
- Storing keys using the SSH Agent < You are here
- Importing existing keys
- Creating a new public/private key pair
- Other useful OpenSSH commands
- Configuring Windows Git
To manage the OpenSSH keys, you need to add them to the ssh-agent (think of it as PuTTY’s Paegant). These keys will then be added to the user’s “Windows registry” and encrypted to their user profile (so, even if the key has an individual password on it, if somebody logins into your machine as user and has access to the registry, then they can access your private keys – if they log in as somebody else, your keys should be safe). This sounds like a security weakness, but is how MacOS and Linux handles keys anyway!
- Continuing in the Administration Powershell, we’re now going to start the SSH-agent which makes key management much easier:
Start-Service ssh-agent
If you get an error such asStart-Service : Service 'OpenSSH Authentication Agent (ssh-agent)' cannot be started due to the following error: Cannot start service ssh-agent on computer '.'. At line:1 char:1 + Start-Service ssh-agent + ~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand
Then the service is probably disabled: check with:
Get-Service ssh-agent | Select StartType
If it is disabled, you’ll see:StartType --------- Disabled
Enable it with
Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
(you might need to then start the service again using
Start-Service ssh-agent
Setting the service to “Automatic” means next time Windows starts and you login, your keys are automatically available to you!
Security
Once you have added the keys to the ssh-agent, it is then “safe” to delete the local key files. HOWEVER, you are NOT able to export the private keys from the ssh-agent (only show the public keys): so make a backup copy on a removable device (such as a USB key) which you keep in a very safe location in case something happens to your machine!