sshman is a simple command-line SSH key and connection manager that stores your SSH entries securely in an encrypted vault file (vault.vssh). Unlike traditional SSH key managers that save private keys as files (e.g., in ~/.ssh), sshman keeps SSH private keys encrypted inside the vault file and loads them only in memory during use, greatly reducing the risk of key leakage from disk. It supports adding, listing, updating, deleting, and searching SSH entries, generating RSA key pairs, copying SSH commands to the clipboard, sending public keys to remote servers, and launching direct SSH connections.
- Encrypted vault storage using AES-GCM and Argon2 for key derivation
- SSH private keys securely stored only inside the encrypted vault file and kept in memory during usage (no keys saved as separate files on disk)
- Secure password prompt with hidden input
- Custom vault file with
.vsshextension - Add, update, delete, list, and search SSH entries (name, user, host, key data)
- Generate RSA SSH key pairs internally without writing private keys to disk
- Send public keys to remote servers for passwordless login setup
- Copy SSH command to clipboard for quick use
- Direct SSH connection launch from vault entries
Requires Go 1.23+ to build.
git clone https://github.com/SpikeTheDragon40k/sshman.git
cd sshman
go build -o sshman .Or download a precompiled binary from releases (when available).
Initialize the vault and set a password:
./sshman initAdd an SSH entry (the --key flag accepts a file path or raw PEM content):
./sshman add --name myserver --user ubuntu --host 1.2.3.4 --port 22 --key ~/.ssh/myserver.keyList all entries:
./sshman listCopy the SSH command for an entry to clipboard:
./sshman copy --name myserverConnect directly to the server:
./sshman connect --name myserverGenerate a new RSA key pair:
./sshman genkey --name mynewkey --user ubuntu --host 1.2.3.4 --port 22 --bits 2048Send the key:
sshman sendkey --name myserverDelete an entry:
./sshman delete --name myserverUpdate an entry:
./sshman update --name myserver --user ubuntu2 --host 1.2.3.5Search entries by keyword (matches name, user, or host):
./sshman search --query myUse a custom vault file path (available on all commands):
./sshman list --vault /path/to/custom.vssh-
Vault is stored in the current directory as
vault.vssh. -
The vault file format is binary and structured as follows:
- First 16 bytes: random salt for Argon2 key derivation
- Next 12 bytes: nonce used for AES-GCM encryption
- Remaining bytes: AES-GCM encrypted JSON data containing SSH entries
-
The vault is encrypted with the password you set during
init. -
Important: Never lose your vault password or you will not be able to access your stored entries.
- urfave/cli/v2 - CLI framework
- atotto/clipboard - Clipboard support
- golang.org/x/crypto/argon2 - Argon2id password-based key derivation
- golang.org/x/term - Terminal password input (hidden input)
- System dependency:
sshcommand for connection and key sending (must be in PATH)
- Key generation is done in pure Go (no external
ssh-keygenrequired). - Keys generated by
genkeyare without passphrase for convenience. - Vault encryption uses Argon2id for secure password strengthening and AES-GCM for authenticated encryption.
- Vault file permissions are set to
0600to restrict access. - All commands prompt for the vault password securely.
- The
--keyflag inadd/updateaccepts either a file path or raw PEM string (auto-detected).
-
Windows and Mac Versions -
Restructure into packages -
Tests and CI -
Addportfield support -
Implementsearchcommand - A GUI (?)
- Yubikey/TOTP integration
- More key types (ED25519, ECDSA, etc.)
- Import/export commands
- Key rotation
- Keyring integration (Gnome Keyring, macOS Keychain)
- SSH agent integration
Check the CONTRIBUTING.md