Encrypted SSH key vault with a local SSH agent for
ssh,git, andVSCode Remote SSH.
English | 简体中文
phi is a small SSH key vault for everyday use.
It keeps private keys in an encrypted vault.phi, exposes them through a local SSH agent after unlock, and supports manual Vault sync through S3 or WebDAV.
- Encrypted local Vault for SSH private keys
- Built-in local SSH agent for
OpenSSH,git, andVSCode Remote SSH - Generate new keys or import existing ones
- Print or copy public keys to remote hosts
- Manual sync only, with
S3andWebDAVbackends
- Windows
- Linux
phi init
phi unlock
phi key gen [name]
phi key list
phi key pub [name]
phi status
phi versionImport an existing key:
phi key import [name] ~/.ssh/id_ed25519Copy a public key to a remote host:
phi key copy-pub [name] apple@example.com
phi key copy-pub -p PORT [name] apple@example.comAfter phi unlock, point OpenSSH to the local phi agent.
On Windows, the default pipe name is isolated per user. Run phi status after phi unlock, then use the reported agent: value.
For IdentityAgent in ssh_config and VSCode Remote SSH, use //./pipe/... style:
Host appledev
HostName me.sightsnow.cn
User apple
IdentityAgent //./pipe/phi-agent-<user-sid>For PowerShell SSH_AUTH_SOCK, use \\.\pipe\... style:
$env:SSH_AUTH_SOCK='\\.\pipe\phi-agent-<user-sid>'Set the agent socket explicitly:
export SSH_AUTH_SOCK="$HOME/.phi/agent.sock"Or let phi print the command for your current shell:
eval "$(phi env)"Or configure it in ~/.ssh/config:
Host work
HostName example.com
User apple
IdentityAgent ~/.phi/agent.sockOn Windows, phi can use DPAPI to unlock the Vault without prompting for the passphrase, and it can also start automatically after user login.
phi startup windows-auto-unlock on
phi startup windows-launch-at-login on
phi startup statuswindows-auto-unlock onstores aDPAPI-protected secret in$HOME/.phi/auto-unlock.dpapi- If
auto-unlock.dpapiexists,phi unlockand daemon startup use it directly and do not fall back to prompting for the passphrase windows-launch-at-login onwrites the current user'sRunregistry entrystartup statuschecks the auto-unlock file and the currentRunregistry entry directly
All sync operations are manual.
phi sync config
phi sync status
phi sync once
phi sync push
phi sync pullsync configconfiguresS3orWebDAVsync statusshows local and remote status and the suggested sync directionsync onceauto-selects push or pull oncesync pushforces local → remotesync pullforces remote → local
phi initinitializeconfig.tomland createvault.phiphi unlockunlock the Vault and start the local daemon and SSH agentphi locklock the Vault and stop the local daemon and SSH agentphi passwdchange the Vault passphrasephi statusshow daemon, unlock, control, and agent statusphi envprint a shell command that setsSSH_AUTH_SOCKphi versionshow build version
phi key listlist stored keys with id, algorithm, and namephi key gen <name>generate a new private key directly into the Vaultphi key import <name> <private-key-path>import an existing private key into the Vaultphi key pub <id-or-name>print the public key for a stored keyphi key copy-pub [-p PORT] <id-or-name> <user@host>copy the public key to the remote host'sauthorized_keysphi key rename <id-or-name> <new-name>rename a stored keyphi key delete <id-or-name>delete a stored key by id or name
phi sync configconfigure theS3orWebDAVsync backendphi sync statusshow local and remote Vault status and the suggested actionphi sync oncecompare local and remote Vaults and perform one sync in the right directionphi sync pushforce upload the local Vault to the remote backendphi sync pullforce download the remote Vault to the local machine
phi startup statusshow Windows auto-unlock and login-start statusphi startup windows-auto-unlock <on|off>configureDPAPIauto unlockphi startup windows-launch-at-login <on|off>configure daemon launch after Windows login
go run scripts/build/build.goThis produces:
dist/bin/phi-linux-amd64dist/bin/phi-linux-arm64dist/bin/phi-windows-amd64.exedist/bin/phi-windows-arm64.exe