How to add an SSH key to ssh-agent

Managing SSH keys with ssh-agent reduces repeated passphrase prompts while keeping strong public key authentication available for remote logins and automation. By loading encrypted private keys into a local agent process, interactive sessions and scripts can authenticate to multiple hosts without exposing plain-text credentials on disk or in shell history.

ssh-agent runs as a background process that holds decrypted private keys in memory and exposes a UNIX-domain socket referenced by the SSH_AUTH_SOCK environment variable. The ssh-add command connects to this socket to load keys from the /home/user/.ssh directory (or other paths), prompting once for each key passphrase. Standard ssh client invocations then query the agent over the socket instead of reading private keys directly each time a connection is established.

Before loading keys into ssh-agent, the system should already have at least one private key file with permissions restricted to the owning account and, ideally, protected by a passphrase. Keeping keys unlocked in an agent instance on shared or untrusted systems increases the impact of a local compromise because any process with access to the agent socket can request signatures on behalf of the user. Agent forwarding across SSH hops also extends this risk, so disabling forwarding when not required and removing identities from ssh-agent after use reduces the attack surface.

1. Open a terminal in the account that will use ssh-agent.

   $ whoami
   user

2. Check whether an ssh-agent process is already reachable from the current shell.

   $ ssh-add -l
   ssh-add: error connecting to agent: No such file or directory

   If a list of identities appears instead of an error message, an existing ssh-agent instance is active and may already hold keys.

3. Start a new ssh-agent instance for the current shell when no agent is available.

   $ eval "$(ssh-agent -s)"
   Agent pid 59565

   The eval "$(ssh-agent -s)" invocation exports SSH_AUTH_SOCK and SSH_AGENT_PID so standard ssh commands automatically use the agent.

4. Add the default SSH private key from the /home/user/.ssh directory to ssh-agent with ssh-add.

   $ ssh-add ~/.ssh/id_ed25519
   Enter passphrase for /home/user/.ssh/id_ed25519:
   Identity added: /home/user/.ssh/id_ed25519 (/home/user/.ssh/id_ed25519)

   Private key files should be protected with restrictive permissions and, ideally, a passphrase because any process that can read the key or access the agent socket can authenticate as that identity.

5. Add an additional key file when a different identity or location is required, such as a dedicated key for a specific Git host.

   $ ssh-add ~/.ssh/id_ed25519_github
   Enter passphrase for /home/user/.ssh/id_ed25519_github:
   Identity added: /home/user/.ssh/id_ed25519_github (id_ed25519_github)

   Multiple private keys can be loaded into ssh-agent at once so different hosts or services can use separate identities.

6. List the identities currently held by ssh-agent to verify that the expected keys are loaded.

   $ ssh-add -l
   256 SHA256:exampleBase64Fingerprint /home/user/.ssh/id_ed25519 (ED25519)
   256 SHA256:anotherBase64Fingerprint /home/user/.ssh/id_ed25519_github (ED25519)

   The message The agent has no identities. indicates that no keys are loaded and that ssh-add must be used again after starting or reattaching to an agent.