Using BitWarden and Chezmoi to manage SSH keys

jmc265 profile image jmc265 Originally published at jx0.uk ・2 min read

I have recently started using Chezmoi to manage my dotfiles (and various other pieces software config) across multiple machines. The distribution is done via a git repo and therefore we should not check in secrets such as the private part of the SSH key. Using Bitwarden, we can store the key in a Secure Note and retrieve on the other machines.


The rest of this post assumes you already have Chezmoi installed and set up:

curl -sfL https://git.io/chezmoi | sh
chezmoi init

You will also need a pre-existing SSH key:

ssh_keygen -o

Store the key

The public key part of the SSH key can be stored in Chezmoi in plain text:

chezmoi add .ssh/id_rsa.pub

To store the private part we are going to need to install the bitwarden-cli and then login and unlock it:

bw login <EMAIL-ADDRESS>
bw unlock

Now, we get to the magic sauce. This line will store your SSH key (stored at ~/.ssh/id_rsa) in a secure note in Bitwarden:

echo "{\"organizationId\":null,\"folderId\":null,\"type\":2,\"name\":\"sshkey\",\"notes\":\"$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\\\n/g' ~/.ssh/id_rsa)\",\"favorite\":false,\"fields\":[],\"login\":null,\"secureNote\":{\"type\":0},\"card\":null,\"identity\":null}" | bw encode | bw create item

And finally, we need to tell chezmoi where to get the key from. Create a file in your chezmoi repo at this location: private_dot_ssh/private_id_rsa.tmpl and add this as the contents:

{{ (bitwarden "item" "sshkey").notes }}

(For OSX, this file needs a new line character at the end. For Linux, I believe it mustn't, so you might need to end the file with -}} instead)

Make sure all the files are committed and pushed to the origin.

Retrieve the key

On another machine where you want to retrieve the same key, make sure bitwarden-cli and Chezmoi are installed and first do the same login and unlock steps for Bitwarden as above. Then simplpy do:

chezmoi init --apply <GIT-REPO>

And that's it. Check your private key has made it safely to your machine by doing cat ~/.ssh/id_rsa.

You can see the full example of my chezmoi config here.

Posted on by:

jmc265 profile



I create stuff. If software engineering is involved, all the better!


markdown guide