Skip to content
Latchkey

ssh-add: Load Keys Into the Agent

ssh-add adds a private key to the running agent so SSH clients can use it without -i or a passphrase prompt.

Once an agent is running, ssh-add is how keys get into it. Loading from stdin avoids ever writing the key to disk, a useful trick when the key comes from a CI secret.

What it does

ssh-add loads the named key file (or the default keys) into the agent identified by SSH_AUTH_SOCK. With a single dash it reads the key from stdin. -l lists loaded keys, -D removes all of them, and -t sets a lifetime after which the key expires.

Common usage

Terminal
ssh-add ./deploy_key
# load straight from a secret without touching disk
ssh-add - <<< "$DEPLOY_KEY"
ssh-add -l          # list loaded fingerprints
ssh-add -D          # drop all loaded keys

Options

FlagWhat it does
<file>Load the given private key
-Read the key from stdin
-lList fingerprints of loaded keys
-DRemove all loaded keys
-t <sec>Set a lifetime for the added key

In CI

Loading the key from stdin (ssh-add - <<< "$KEY") keeps it out of the filesystem entirely. Run ssh-add -l afterward to confirm the right key is loaded before deploying. The agent must be running and SSH_AUTH_SOCK exported, or every ssh-add call fails.

Common errors in CI

Could not open a connection to your authentication agent. means no agent is running or SSH_AUTH_SOCK is unset; start ssh-agent and eval its output. "Error loading key "(stdin)": invalid format" means the key piped in is corrupted or has the wrong line endings. "Enter passphrase" hanging means the key is encrypted and BatchMode is off; use SSH_ASKPASS or a passphrase-free key.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →