LastPass SSH keys

Purpose

The purpose of this post is to learn how to easily store SSH keys in LastPass using their command line client lpass.

Before you begin

A Linux machine is required to follow this tutorial.

Step 1 - Create a SSH key pair (public/private)

Run ssh-keygen setting a passphrase and a destination (by default ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub). We strongly recommend to add a strong passphrase, to do it you can use pwgen or apg binaries for example.

Double check ssh-keygen created a private and public key files.

Step 2 - Install LastPass CLI

It’s true that there is still no LastPass CLI package for Debian/Ubuntu .. BUT there are LastPass CLI packages for other OS like Fedora, Arch, Fedora, OS X and many more. More info on its GitHub page: https://github.com/lastpass/lastpass-cli.

There is no binary for Debian/Ubuntu, you should install first the dependencies and build the client from its repo:

# Install dependencies
sudo apt install --no-install-recommends \            
  cmake \
  libcurl4-openssl-dev \
  libssl-dev \
  libxml2 \
  libxml2-dev \
  openssl \
  pinentry-curses \
  pkg-config \
  xclip

# Clone, build and install LastPass CLI
cd /tmp
git clone https://github.com/lastpass/lastpass-cli.git
cd lastpass-cli
make
sudo make install

# Check LastPass CLI version
lpass -v
> LastPass CLI v1.3.3.GIT

More information about LastPass cli here.

Step 3 - Store SSH keys to LastPass

Log in to LastPass:

export LPASS_HOME=~/.lpass
export LPASS_AGENT_TIMEOUT=0
lpass login <your_email@your_email_server>

Enter master password, accept verification email (only first time) and 2 factor authentication if needed.

Running the following command you’ll create a SSH-Key secure note.

echo "SSH passhprase? "; read passhprase; \
printf "Private Key: %s\nPublic Key: %s"\
"$(cat ~/.ssh/id_rsa)" "$(cat ~/.ssh/id_rsa.pub)" | \
lpass add --non-interactive \
--sync=now "${passhprase}" \
--note-type=ssh-key

lpass show ${passhprase}

Previous comment was fixed thanks to @christopher_howie.

This note will be uploaded automatically to your LastPass Vault, depending on your version of LastPass CLI you should run lpass sync as well.

This post is using ~/.ssh/id_rsa.pub and cat ~/.ssh/id_rsa.pub. please change previous paths to your current SSH key destination paths.

Go to your LastPass Vault and make shure the ${passhprase} is there. If you cannot see the key, sometimes we might trigger the Refresh Site option going to More options > Advance > Refresh Site on the UI.

Finally, to do a quick search by command line you could use lpass together with grep:

lpass ls | grep <my_search>

# or a case-insensitive search
lpass ls | grep -i <my_search>