-blue.svg){kind=icon}
SKM is a simple and powerful SSH Keys Manager. It helps you to manage your multiple SSH keys easily!
Features
- Create, List, Delete your SSH key(s)
- Manage all your SSH keys by alias names
- Choose and set a default SSH key
- Display public key via alias name
- Copy any SSH key to a remote host (with optional
--key,--pick,--dry-run) - Rename SSH key alias name
- Backup and restore all your SSH keys
- Import an existing key pair from anywhere on disk
- Export a single key as a (optionally encrypted) bundle
- Inspect a key with
fingerprintandinfo - Add / rotate / remove a key’s passphrase
- Diagnose your environment with
skm doctor - Audit stored keys for weak strength, missing passphrases, and age with
skm audit - Publish a public key to GitHub, GitLab, or Bitbucket with
skm publish - Soft-delete to a recoverable trash, with
skm trash list|restore|empty - Prompt UI (with fuzzy search) for SSH key selection across multiple commands
- Customized SSH key store path
- Pluggable hooks on
post-use,post-create,pre-delete,post-copyevents (per-key and global)
Installation
Homebrew
Starting from v0.8.9, skm has been officially submitted to the homebrew-core repository, so you can install it directly on both macOS and Linux:
brew install skm
If you previously installed
skmthrough the old tap, please remove it first to avoid conflicts:brew uninstall skm brew untap timothyye/tap brew install skm
Using Go
go get github.com/TimothyYe/skm/cmd/skm
Manual Installation
Download it from releases and extact it to /usr/bin or your PATH directory.
Usage
% skm
SKM V0.8.8
https://github.com/TimothyYe/skm
NAME:
SKM - Manage your multiple SSH keys easily
USAGE:
skm [global options] command [command options] [arguments...]
VERSION:
0.8.8
COMMANDS:
init, i Initialize SSH keys store for the first time use.
create, c Create a new SSH key.
ls, l List all the available SSH keys.
use, u Set specific SSH key as default by its alias name.
delete, d Delete specific SSH key by alias name.
rename, rn Rename SSH key alias name to a new one.
copy, cp Copy SSH public key to a remote host.
display, dp Display the current SSH public key or specific SSH public key by alias name.
backup, b Backup all SSH keys to an archive file.
restore, r Restore SSH keys from an existing archive file.
import, im Import an existing SSH key pair (or an skm export bundle) into the store.
export, ex Export a single key as a tar.gz bundle (optionally encrypted).
fingerprint, fp Print the SHA256 fingerprint of an SSH key.
info, in Show detailed information about an SSH key.
passphrase, pp Add, rotate, or remove the passphrase on an SSH key.
publish, pub Upload an SSH public key to GitHub, GitLab, or Bitbucket.
doctor, dr Run diagnostics against the SKM environment, agent, and stored keys.
audit, au Audit stored keys for weak strength, missing passphrases, and age.
cache Add your SSH to SSH agent cache via alias name.
help, h Shows a list of commands or help for one command.
GLOBAL OPTIONS:
--store-path value Path where SKM should store its profiles (default: "/Users/timothy/.skm")
--ssh-path value Path to a .ssh folder (default: "/Users/timothy/.ssh")
--restic-path value Path to the restic binary
--help, -h show help
--version, -v print the version
For the first time use
You should initialize the SSH key store for the first time use:
% skm init
✔ SSH key store initialized!
So, where are my SSH keys?
SKM will create SSH key store at $HOME/.skm and put all the SSH keys in it.
NOTE: If you already have id_rsa & id_rsa.pub key pairs in $HOME/.ssh, SKM will move them to $HOME/.skm/default
Create a new SSH key
Supported key types: ed25519 (default), rsa, ed25519-sk, ecdsa-sk. The
-sk variants are FIDO2 hardware-backed keys and require ssh-keygen 8.2+
plus a security key (YubiKey, Solo, etc.) plugged in at creation time.
% skm create prod -C "abc@abc.com"
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/timothy/.skm/prod/id_ed25519.
Your public key has been saved in /Users/timothy/.skm/prod/id_ed25519.pub.
...
✔ SSH key [prod] created!
Other examples:
skm create old -t rsa -b 4096 # RSA (minimum 3072 bits enforced)
skm create yubi -t ed25519-sk # hardware-backed; prompts for PIN + touch
RSA keys below 3072 bits are rejected — skm audit flags those as weak, so
create and audit agree on what’s safe. Use ssh-keygen directly if you
need a smaller key for testing.
List SSH keys
By default ls shows alias, key type, and comment in three columns; the
active default key is marked with ->. Use -l / --long for the full table
with bits, fingerprint, agent status, and the modification date.
% skm ls
✔ Found 3 SSH key(s)!
-> default [ssh-ed25519] [work@laptop]
dev [ssh-ed25519] [dev]
prod [ssh-rsa] [prod]
% skm ls -l
✔ Found 3 SSH key(s)!
ALIAS TYPE BITS FINGERPRINT AGENT CREATED COMMENT
* default ed25519 256 SHA256:pFsC7J7L9L08f3w8uP6ozRaGW5Dg8CdEkP8iVj7++pw yes 2026-05-16 work@laptop
dev ed25519 256 SHA256:7dFJEj7WGAL8rn9AqLNYdoTQrqgv00kdnqJlufvxgg4 - 2026-05-12 dev
prod rsa 4096 SHA256:DEyhI38hQ5WYABdx9SrJuhqrIyLvfRcZTtzXARuyn0k - 2026-05-01 prod
Other useful flags:
skm ls -q # quiet — just the alias names, default marked with ->
skm ls --json # machine-readable output for scripting
skm ls -t ed25519 # filter by key type
Set default SSH key
% skm use dev
Now using SSH key: dev
Prompt UI for key selection
You can just type skm use, then a prompt UI will help you to choose the right SSH key:
Display public key
% skm display
Or display specific SSH public key by alias name:
% skm display prod
Delete a SSH key
% skm delete prod
Please confirm to delete SSH key [prod] [y/n]: y
✔ SSH key [prod] moved to trash (restore with: skm trash restore prod-20260521150412)
By default a delete moves the alias into the store’s trash so it can be recovered. Pass multiple aliases to batch-delete; missing aliases are reported and skipped. -y / --yes skips the confirmation, --purge hard-deletes (skipping the trash):
% skm delete -y staging legacy old-laptop
% skm delete --purge --yes ancient
Recover a deleted SSH key
% skm trash list
NAME ALIAS DELETED
prod-20260521150412 prod 2026-05-21 15:04:12
% skm trash restore prod-20260521150412
✔ Restored [prod-20260521150412] as alias [prod]
You can pass either the trash entry name (prod-20260521150412) or just the alias (prod); the latter works when only one trashed entry matches. If the original alias is already taken, pass --as <new-alias>. Empty the trash with skm trash empty (prompts for confirmation; -y to skip).
Copy SSH public key to a remote host
By default the currently active key is pushed:
% skm cp timothy@example.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/timothy/.skm/default/id_rsa.pub"
...
✔ SSH key copied to remote host
Useful flags:
skm cp --key work timothy@example.com # push a specific key, not the default
skm cp --pick timothy@example.com # interactively choose the key
skm cp -p 2222 timothy@example.com # non-default SSH port
skm cp timothy@[2001:db8::1]:2222 # IPv6 hosts work too
skm cp --dry-run timothy@example.com # preview the ssh-copy-id command
Rename a SSH key with a new alias name
% skm rn test tmp
✔ SSH key [test] renamed to [tmp]
Backup SSH keys
Backup all your SSH keys to a tarball in $HOME.
% skm backup
a .
a ./default/id_rsa
a ./default/id_rsa.pub
…
✔ All SSH keys backup to: /Users/timothy/skm-20260521221544.tar.gz
⚠ This bundle contains UNENCRYPTED private keys. If it leaves this
machine, anyone with the file can use your keys. Re-run with
--encrypt to produce an encrypted archive.
The default tar contains your private keys in the clear. To produce an
encrypted bundle (AES-256-CBC via openssl, same envelope as skm export
--encrypt), pass --encrypt:
% skm backup --encrypt
enter AES-256-CBC encryption password:
Verifying - enter AES-256-CBC encryption password:
✔ All SSH keys backup to: /Users/timothy/skm-20260521221544.tar.gz.enc
Decrypt with: openssl enc -d -aes-256-cbc -pbkdf2 -in /Users/timothy/skm-20260521221544.tar.gz.enc -out skm-20260521221544.tar.gz
For scripted use, pass --password-file <path> to read the passphrase from a
file instead of prompting.
Restic-backed backups (local or cloud)
If you have restic installed, SKM can use it to produce encrypted, deduplicated, snapshot-style backups that can target local disk, S3, Cloudflare R2, Backblaze B2, SFTP, and any other backend restic supports. Run the one-time interactive setup first:
% skm backup --restic --init
Configuring restic backup for SKM.
Examples:
Local: /Users/me/.skm-backups
S3: s3:s3.amazonaws.com/my-bucket/skm
R2: s3:https://<account>.r2.cloudflarestorage.com/my-bucket/skm
SFTP: sftp:user@host:/data/skm
B2: b2:my-bucket/skm
For S3, R2, and B2, set the relevant credential env vars (e.g.
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) before running backup.
✔ Restic repository initialized at s3:https://abc.r2.cloudflarestorage.com/skm
⚠ IMPORTANT: store the restic password somewhere OTHER than this machine.
If this laptop is lost and the password only lives in ~/.skm-backups.passwd,
the backup will be unrecoverable.
Then run repeat backups:
% skm backup --restic
✔ Backup to s3:https://abc.r2.cloudflarestorage.com/skm complete
Restic encrypts every chunk client-side before upload, so the remote destination never sees plaintext. The R2/S3 credentials and the restic password are independent secrets — losing the credentials means re-issuing them; losing the restic password means the backup is unrecoverable.
Restore SSH keys
% skm restore ~/skm-20260521221544.tar.gz
✔ All SSH keys restored to /Users/timothy/.skm
.enc bundles are auto-detected and decrypted before extraction:
% skm restore ~/skm-20260521221544.tar.gz.enc
enter AES-256-CBC decryption password:
✔ All SSH keys restored to /Users/timothy/.skm
For restic-backed backups, pick a snapshot to restore:
% skm restore --restic --restic-snapshot $SNAPSHOT
✔ Backup restored to /Users/$USER/.skm
Omit --restic-snapshot and SKM will list the available snapshots.
Import an existing key
Pull an existing key pair from anywhere on disk into the SKM store. The
matching half of the pair is inferred from the .pub suffix; the key type
is detected from the public key’s header.
% skm import --alias work ~/old-laptop/.ssh/id_ed25519
✔ Imported ed25519 key as [work]
skm import also accepts an skm export bundle (.tar.gz, .tgz, or
.tar.gz.enc). For encrypted bundles, openssl prompts for the passphrase.
% skm import ~/skm-work-20260516193629.tar.gz.enc
enter aes-256-cbc decryption password:
✔ Imported bundle as [work]
Useful flags:
skm import --alias newname bundle.tar.gz # rename the alias on the way in
skm import --move ~/old/id_ed25519 # remove the source after a successful copy
Note: put
--alias/--movebefore the path argument — flags placed after the path are not parsed, and SKM will error out with a hint if it sees one.
Export a single key
Bundle one alias into a portable archive that you can move to another
machine and import there. The archive contains the private key, the public
key, and any hook file under that alias.
% skm export work
✔ Exported [work] to /Users/timothy/skm-work-20260516193629.tar.gz
Add --encrypt to wrap the bundle with openssl enc -aes-256-cbc -pbkdf2,
which prompts for a passphrase:
% skm export --encrypt work
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
✔ Exported [work] to /Users/timothy/skm-work-20260516193629.tar.gz.enc
You can also specify the output path:
skm export -o /tmp/work.tar.gz work
Inspect a key
% skm fingerprint work
SHA256:pFsC7J7L9L08f3w8uP6ozRaGW5Dg8CdEkP8iVj7++pw
% skm info work
Alias work
Default yes
Type ed25519
Bits 256
Fingerprint SHA256:pFsC7J7L9L08f3w8uP6ozRaGW5Dg8CdEkP8iVj7++pw
Comment work@laptop
In agent yes
Private /Users/timothy/.skm/work/id_ed25519
Public /Users/timothy/.skm/work/id_ed25519.pub
Modified 2026-05-16 19:56:07
Both commands default to the active key when no alias is given.
Add / rotate / remove a passphrase
skm passphrase wraps ssh-keygen -p. Use an empty new passphrase at the
prompt to remove the existing one.
% skm passphrase work
Updating passphrase for [work] (/Users/timothy/.skm/work/id_ed25519)
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
✔ Passphrase updated for [work]
Run diagnostics
skm doctor walks through the most common environment problems — missing
SSH binaries, an unreachable ssh-agent, unwritable store paths, the
default key not resolving, RSA keys below 3072 bits, public/private files
with loose permissions, or hook scripts missing the executable bit.
% skm doctor
✔ ssh-keygen available
✔ ssh-add available
✔ ssh-copy-id available
✔ ssh-agent reachable with identities loaded
✔ /Users/timothy/.skm writable (mode -rwxr-xr-x)
✔ /Users/timothy/.ssh writable (mode -rwxr-xr-x)
✔ default key [work] resolves to /Users/timothy/.skm/work/id_ed25519
✔ private key id_ed25519 mode -rw-------
✔ key [work] ed25519/256
✔ hook for [work] is executable
10 passed, 0 warning(s), 0 failure(s)
skm doctor --json emits the same checks as a JSON array for scripting.
Failures cause a non-zero exit; warnings do not.
Audit your keys
Where doctor inspects the environment, skm audit (alias au) inspects the
keys themselves. It walks every key in the store and reports:
- RSA keys below
--rsa-min(default 3072) — failure - Private keys with no passphrase — warning
- Keys older than
--max-age(default1y, acceptsNd|Nw|Nm|Ny) — warning
% skm audit
[legacy]
✖ strength: RSA-1024 is below the 3072-bit minimum
hint: Rotate with `skm create legacy -t ed25519` (or RSA >= 3072)
! passphrase: private key is not protected by a passphrase
hint: Add one with `skm passphrase legacy`
! age: key is 2y old (threshold 1y)
hint: Consider rotating with `skm create` + `skm copy`
1 clean, 0 with warnings, 1 with failures (of 2 key(s))
Flags:
--json— emit findings as a JSON array for tooling--strict— promote warnings to failures (useful in CI)--max-age <duration>— override the age threshold (e.g.30d,6m)--rsa-min <bits>— override the minimum acceptable RSA key size
Audit exits non-zero on any failure-level finding; warnings alone return 0
unless --strict is set.
Publish a public key to GitHub, GitLab, or Bitbucket
skm publish (alias pub) uploads a public key to a Git hosting provider
via its API, so you don’t need to copy-paste into the web UI. The currently
active key is used when no alias is given.
% skm publish work --github
✔ published [work] to github as "skm-work-laptop-20260524"
% skm publish work --gitlab --url https://gitlab.internal
% skm publish work --bitbucket --user alice
% skm publish --github --dry-run # preview without uploading
Only the public key is ever read; the private key is never touched.
Tokens
Resolution order (per provider):
--token <token>flag- Environment variable
- GitHub:
$SKM_GITHUB_TOKEN,$GITHUB_TOKEN,$GH_TOKEN - GitLab:
$SKM_GITLAB_TOKEN,$GITLAB_TOKEN,$GL_TOKEN - Bitbucket:
$SKM_BITBUCKET_TOKEN,$BITBUCKET_TOKEN
- GitHub:
- CLI fallback (only when no token was found above)
- GitHub:
gh auth token(requiresgh auth login; needs scopeadmin:public_key) - GitLab:
glab auth token - Bitbucket: none — use a Bitbucket app password (scope: Account: Write)
- GitHub:
If your existing gh session is missing the required scope:
gh auth refresh -s admin:public_key
Self-hosted instances
Pass --url to point at GitHub Enterprise or a self-hosted GitLab:
skm publish work --github --url https://github.example.com/api/v3
skm publish work --gitlab --url https://gitlab.example.com
Idempotency
publish lists the keys already on the provider and compares them to the
local one by canonical form (type + base64, ignoring trailing comments). A
duplicate prints a notice and exits 0 — re-running the command is safe:
% skm publish work --github
✔ [work] already published on github as "skm-work-laptop-20260520"
Title
Defaults to skm-<alias>-<hostname>-<YYYYMMDD> so the entry is identifiable
in the provider’s UI later. Override with --title:
skm publish work --github --title "tims-macbook"
Integrate with SSH agent
You can use cache command to cache your SSH key into SSH agent’s cache via SSH alias name.
Cache your SSH key
λ tim [~/]
→ skm cache --add my
Enter passphrase for /Users/timothy/.skm/my/id_rsa:
Identity added: /Users/timothy/.skm/my/id_rsa (/Users/timothy/.skm/my/id_rsa)
✔ SSH key [my] already added into cache
Remove your SSH key from cache
λ tim [~/]
→ ./skm cache --del my
Identity removed: /Users/timothy/.skm/my/id_rsa (MyKEY)
✔ SSH key [my] removed from cache
List your cached SSH keys from SSH agent
λ tim [~/]
→ ./skm cache --list
2048 SHA256:qAVcwc0tdUOCjH3sTskwxAmfMQiL2sKtfPBXFnUoZHQ /Users/timothy/.skm/my/id_rsa (RSA)
Customized SSH key store path
By default, SKM uses $HOME/.skm as the default path of SSH key store.
You can define your customized key store path in your ~/.bashrc or ~/.zshrc by adding:
SKM_STORE_PATH=/usr/local/.skm
Hook mechanism
SKM fires hook scripts around key-lifecycle events. Hooks are ordinary executables (binary or script) that you drop into a known location; SKM picks them up automatically.
Events
| Event | When it fires | Failure behavior |
|---|---|---|
post-use |
After switching the default SSH key | Best-effort (warning only) |
post-create |
After skm create succeeds |
Best-effort (warning only) |
pre-delete |
After you confirm a delete, before removal | Non-zero exit aborts the delete |
post-copy |
After skm copy (ssh-copy-id) succeeds |
Best-effort (warning only) |
Where to put hook scripts
Two scopes; both fire (global first, then per-key):
~/.skm/hooks/<event> # global — runs for any alias
~/.skm/<alias>/hooks/<event> # per-key — runs only for that alias
For example:
~/.skm/hooks/pre-delete # global guard for every delete
~/.skm/work/hooks/post-use # only when switching to "work"
~/.skm/prod/hooks/post-copy # only after copying the "prod" key
The legacy ~/.skm/<alias>/hook file is still honored as a post-use hook for backward compatibility.
Don’t forget to make scripts executable:
chmod +x ~/.skm/work/hooks/post-use
Environment variables passed to hooks
Every hook receives these in its environment:
| Variable | Description |
|---|---|
SKM_EVENT |
The event name (post-use, pre-delete, …) |
SKM_ALIAS |
The alias name (also passed as $1) |
SKM_STORE_PATH |
The SKM store path |
SKM_SSH_PATH |
The user’s ~/.ssh path |
SKM_KEY_TYPE |
rsa, ed25519, … |
SKM_PRIVATE_KEY |
Absolute path to the private key |
SKM_PUBLIC_KEY |
Absolute path to the public key |
Event-specific extras:
| Event | Extra variables |
|---|---|
post-copy |
SKM_REMOTE_HOST, SKM_REMOTE_PORT |
Example: switch git identity on post-use
#!/bin/bash
# ~/.skm/work/hooks/post-use
git config --global user.name "Your Work Name"
git config --global user.email "you@work.example.com"
Example: log every key deployment via post-copy
#!/bin/sh
# ~/.skm/hooks/post-copy
echo "$(date -Iseconds) $SKM_ALIAS -> $SKM_REMOTE_HOST:${SKM_REMOTE_PORT:-22}" \
>> ~/.skm/deployments.log
Example: guard production keys against accidental delete
#!/bin/sh
# ~/.skm/prod/hooks/pre-delete — non-zero exit aborts the delete
echo "Refusing to delete production key. Remove this hook first." >&2
exit 1
Inspect configured hooks
skm hook ls # global hooks
skm hook ls <alias> # global + per-key for one alias
skm hook ls --all # global + per-key for every alias