ssh-add: Load Keys Into the Agent
ssh-add adds a private key to the running agent so SSH clients can use it without -i or a passphrase prompt.
Once an agent is running, ssh-add is how keys get into it. Loading from stdin avoids ever writing the key to disk, a useful trick when the key comes from a CI secret.
What it does
ssh-add loads the named key file (or the default keys) into the agent identified by SSH_AUTH_SOCK. With a single dash it reads the key from stdin. -l lists loaded keys, -D removes all of them, and -t sets a lifetime after which the key expires.
Common usage
ssh-add ./deploy_key
# load straight from a secret without touching disk
ssh-add - <<< "$DEPLOY_KEY"
ssh-add -l # list loaded fingerprints
ssh-add -D # drop all loaded keysOptions
| Flag | What it does |
|---|---|
| <file> | Load the given private key |
| - | Read the key from stdin |
| -l | List fingerprints of loaded keys |
| -D | Remove all loaded keys |
| -t <sec> | Set a lifetime for the added key |
In CI
Loading the key from stdin (ssh-add - <<< "$KEY") keeps it out of the filesystem entirely. Run ssh-add -l afterward to confirm the right key is loaded before deploying. The agent must be running and SSH_AUTH_SOCK exported, or every ssh-add call fails.
Common errors in CI
Could not open a connection to your authentication agent. means no agent is running or SSH_AUTH_SOCK is unset; start ssh-agent and eval its output. "Error loading key "(stdin)": invalid format" means the key piped in is corrupted or has the wrong line endings. "Enter passphrase" hanging means the key is encrypted and BatchMode is off; use SSH_ASKPASS or a passphrase-free key.