Purpose

The purpose of this post is to learn how to easily store SSH keys in LastPass using their command line client lpass.

Before you begin

A Linux machine is required to follow this tutorial.

Step 1 - Create a SSH key pair (public/private)

Run ssh-keygen setting a passphrase and a destination (by default ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub). I strongly recommend to add a strong passhprase, to do it you can use pwgen or apg commands for example. More info about how install ssh-keygen

Double check ssh-keygen created a private and public key files.

Step 2 - Install lastpass-cli

It’s true that there is still no lastpass-cli package for Debian/Ubuntu .. BUT there are lastpass-cli packages for other OS like Fedora, Arch, Fedora, OS X and many more. More info on its GitHub page: https://github.com/lastpass/lastpass-cli.

(Debian based distros commands): First install dependencies:

sudo apt install --no-install-recommends \            
  cmake \
  libcurl4-openssl-dev \
  libssl-dev \
  libxml2 \
  libxml2-dev \
  openssl \
  pinentry-curses \
  pkg-config \
  xclip

There is no binary for Debian/Ubuntu, you should build it from repo:

# clone
cd /tmp
git clone https://github.com/lastpass/lastpass-cli.git

# build
cd lastpass-cli
make
sudo make install

# check version
lastpass -v

More information about LastPass cli here.


Step 3 - Store SSH keys to LastPass

Log in to LastPass:

export LPASS_HOME=~/.lpass && export LPASS_AGENT_TIMEOUT=0 && lpass login <your_email@your_email_server>

Enter master password, accept verification email (only first time) and 2 factor authentication if needed.

Running the following command you’ll create a SSH-Key secure note.

echo "SSH passhprase? "; read passhprase; \
printf "Private Key: %s\nPublic Key: %s" "$(cat ~/.ssh/id_rsa)" "$(cat ~/.ssh/id_rsa.pub)" | \
lpass add --non-interactive --sync=now "${passhprase}" --note-type=ssh-key

lpass show ${passhprase}

Previous comment was fixed thanks to @christopher_howie.

This note will be uploaded automatically to your LastPass Vault by default (if not, and depending on your version of lastpass cli you should run lpass sync as well):

This post is using ~/.ssh/id_rsa.pub and cat ~/.ssh/id_rsa.pub. please change previous paths to your current SSH key destination paths.

Go to your LastPass Vault and make shure the ${passhprase} is there. If you cannot see the key, sometimes we might trigger the Refresh Site option going to More options > Advance > Refresh Site on the UI.

Finally, to do a quick search by command line you could use lpass client with grep:

lpass ls | grep <my_search>

# or a case-insensitive search
lpass ls | grep -i <my_search>