ssh-sync is a command-line tool designed to manage and synchronize your SSH keys across multiple machines, ensuring seamless access to your servers and resources from any device. By syncing your SSH keys through a central server, you can avoid manually copying or adjusting configurations when switching devices.
Key Features:
Automated Synchronization: Easily sync your SSH keys between devices using a self-hosted server or the default sshsync.io service.
Multi-Platform Support: Works on Windows, macOS, and Linux, making it versatile for any environment.
Safe Mode Operation: Test syncing without affecting your current SSH setup by downloading to a temporary directory.
Self-Hosting Capability: Deploy your own server using Docker or other methods for added control and security.
Audience & Benefit:
Ideal for developers, DevOps engineers, IT professionals, and anyone managing multiple SSH keys. By automating the synchronization process, ssh-sync streamlines your workflow, reduces manual tasks, and minimizes errors associated with SSH key management.
Install via winget on Windows to get started quickly.
README
ssh-sync: Seamless SSH Key Management
ssh-sync is a powerful CLI tool designed to simplify the way you manage and synchronize your SSH keys and configurations across multiple machines. With ssh-sync, gone are the days of manually copying SSH keys or adjusting configurations when switching devices. Whether you're moving between workstations or setting up a new machine, ssh-sync ensures your SSH environment is up and running effortlessly.
Star History
Quick Start
Installation
ssh-sync is available on Windows, macOS, and Linux. Choose the installation method that best suits your operating system:
Windows
Install ssh-sync using Winget:
winget install therealpaulgg.ssh-sync
macOS
ssh-sync can be installed using Homebrew:
brew tap therealpaulgg/ssh-sync
brew install ssh-sync
Linux
For Linux users, you can install ssh-sync through our official package repositories or by downloading packages directly from our GitHub Releases page:
This command is useful if you're decommissioning a machine or wish to start fresh.
Rotating the Master Key
To generate a new master key and re-encrypt all SSH keys stored on the server:
ssh-sync rotate-master-key
This is useful as a security hygiene measure or after a suspected compromise. The new master key is automatically distributed to all registered machines — each machine picks it up on its next download or sync.
Interactive Mode
ssh-sync includes a TUI for managing your SSH keys interactively:
ssh-sync interactive
This launches a menu-driven interface where you can view and manage your stored SSH keys.
Migrating to Post-Quantum Cryptography
By default, new machines are set up with post-quantum cryptography (ML-DSA-65 for authentication, ML-KEM-768 for key encapsulation). If your machine was set up with classical ECDSA, you can upgrade it:
ssh-sync migrate
This migrates your machine's keypair to post-quantum algorithms. Your encrypted SSH keys on the server remain unchanged (AES-256-GCM is already quantum-resistant — only the key wrapping is upgraded).
To set up a new machine with classical ECDSA instead of post-quantum, use:
ssh-sync setup --classic
By following these steps, you can seamlessly sync and manage your SSH keys across all your machines with SSH-Sync.
Self-Hosting ssh-sync-server
In general, for self-hosting, we recommend a setup where ssh-sync-server is behind a reverse proxy (i.e Nginx), and SSL is handled via LetsEncrypt.
Docker
Docker is the easiest way to run the server. Here is a simple docker-compose file you can use:
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/server.sshsync.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/server.sshsync.io/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name server.sshsync.io;
location / {
proxy_pass http://127.0.0.1:;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
if ($host = server.sshsync.io) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name server.sshsync.io;
return 404; # managed by Certbot
}
If you don't want to use docker, other methods of running are not supported at this time, but the source repos are linked below so you can configure your own server as you wish.
ssh-sync leverages a client-server model to store and synchronize your SSH keys securely. The diagram below outlines the ssh-sync architecture and its workflow:
For a deep dive into the technicalities of ssh-sync, including its security model, data storage, and key synchronization process, check out our Wiki.
Why Choose ssh-sync?
Simplify SSH Key Management: Easily sync your SSH keys and configurations across all your devices.
Enhanced Security: ssh-sync uses post-quantum cryptography (ML-DSA-65 + ML-KEM-768) by default, with AES-256-GCM for data encryption, ensuring your SSH keys are securely transmitted and stored.
Effortless Setup: With support for Windows, macOS, and Linux, setting up ssh-sync is straightforward, regardless of your operating system.
Contributing
ssh-sync is an open-source project, and contributions are welcome! If you're interested in contributing, please check out our contribution guidelines.
