Feature Request
Currently, the SSH Agent functionality (key storage, unlock, and signing) is only available through the Bitwarden Desktop application via the native Rust module (desktop_core::ssh_agent). This means users must have the desktop app running to use SSH keys stored in their Bitwarden vault.
I’d like to request SSH Agent support directly in the Bitwarden CLI (bw), allowing the CLI to act as a fully functional SSH agent — independently from the desktop app.
Expected behavior
A new CLI command (e.g., bw ssh-agent) that:
-
Starts a background process exposing an SSH agent socket (
SSH_AUTH_SOCK) -
Reads SSH keys from the unlocked vault
-
Responds to standard SSH agent protocol requests (identity listing, signing)
-
Supports the existing key approval settings (“Ask for authorization when using SSH agent”)
The existing Rust implementation in desktop_core could potentially be shared or extracted into a common library to avoid code duplication between desktop and CLI.
Use cases
-
Headless servers / remote environments where installing a desktop GUI app is not practical
-
WSL / containers / VMs where the desktop app’s SSH agent socket is not accessible or reliable
-
CI/CD pipelines needing SSH key access from the vault without a GUI dependency
-
Terminal-first workflows — many developers prefer not to depend on a GUI app just to unlock SSH keys
-
Linux servers where only the CLI can realistically be installed
Alternatives considered
-
Using the desktop app → not viable on headless or server environments
-
Exporting SSH keys manually → defeats the purpose of centralized key management in Bitwarden
-
Using
bw getto extract private keys into files → insecure, no SSH agent protocol support, keys end up on disk in plaintext