SSH Agent vs Raw Keys: When to Use Each (and When Not To)
SSH Agent vs Raw Keys: When to Use Each (and When Not To)
SSH gives you two ways to authenticate:
- raw private keys
- SSH agent
They are not interchangeable.
What SSH agent is
SSH agent is:
A background process that holds private keys in memory
It signs authentication requests without exposing key files.
Raw keys (direct usage)
ssh -i ~/.ssh/key user@server
Simple and explicit.
Best for:
- CI/CD
- automation
- servers
SSH agent usage
ssh-add ~/.ssh/key
ssh user@server
Best for:
- local development
- frequent access
- passphrase-protected keys
Why CI/CD should NOT use agent
- agents require interactive sessions
- runners are ephemeral
- keys must be explicit
Use raw keys in automation.
Security tradeoffs
| Method | Risk |
|---|---|
| Raw keys | file leakage |
| Agent | memory hijack |
Choose based on context.
Final rule
Humans → SSH agent
Automation → raw keys
Never mix them.
Related Posts
SSH Config Explained: How to Simplify Server Access with a Clean Laptop Setup
Learn how to use an SSH config file on your laptop to simplify server access, avoid mistakes, and connect to servers like LogicCraft with ease.
SSH Keys Deep Dive: Public vs Private, How Authentication Really Works
A practical deep dive into SSH keys—what public and private keys really are, how authentication works, and how to generate, store, and use keys safely.
SSH Keys Explained: Private Git Repos vs CI/CD Deployments (The Right Way)
A clear, practical guide to using SSH keys correctly for private Git repositories and CI/CD deployments without mixing trust models.