The purpose of this post is to learn how to easily store SSH keys in LastPass using their command line client lpass.

Before you begin

A Linux machine is required to follow this tutorial.

Step 1 - Create a SSH key pair (public/private)

Run ssh-keygen setting a passphrase and a destination (by default ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub). I strongly recommend to add a strong passhprase, to do it you can use pwgen or apg commands for example. More info about how install ssh-keygen

Double check ssh-keygen created a private and public key files.

Step 2 - Install lastpass-cli

(Debian based distros commands): First install dependencies:

sudo apt install --no-install-recommends \            
  cmake \
  libcurl4-openssl-dev \
  libssl-dev \
  libxml2 \
  libxml2-dev \
  openssl \
  pinentry-curses \
  pkg-config \

There is no binary for Debian/Ubuntu, you should build it from repo:

# clone
cd /tmp
git clone https://github.com/lastpass/lastpass-cli.git

# build
cd lastpass-cli
sudo make install

# check version
lastpass -v

More information about LastPass cli here.

Step 3 - Store SSH keys to LastPass

Log in to LastPass:

export LPASS_HOME=~/.lpass && export LPASS_AGENT_TIMEOUT=0 && lpass login <your_email@your_email_server>

Enter master password, accept verification email (only first time) and 2 factor authentication if needed.

Running the following command you’ll create a SSH-Key secure note.

read "?SSH passhprase? " passhprase; printf "Passphrase: ${passhprase}\nPrivate Key: $(cat ~/.ssh/id_rsa)\nPublic Key: $(cat ~/.ssh/id_rsa.pub)" | lpass add my_ssh_keys --note-type=ssh-key --non-interactive

lpass show my_ssh_keys

This note will be uploaded automatically to your LastPass Vault by default (if not, and depending on your version of lastpass cli you should run lpass sync as well):

This post is using ~/.ssh/id_rsa.pub and cat ~/.ssh/id_rsa.pub. please change previous paths to your current SSH key destination paths.

Finally go to your LastPass Vault and make shure the my_ssh_keys is there.