-blue.svg){kind=icon}
SKM is a simple and powerful SSH Keys Manager. It helps you to manage your multiple SSH keys easily!
- Create, List, Delete your SSH key(s)
- Manage all your SSH keys by alias names
- Choose and set a default SSH key
- Display public key via alias name
- Copy any SSH key to a remote host (with optional
--key,--pick,--dry-run) - Rename SSH key alias name
- Backup and restore all your SSH keys
- Import an existing key pair from anywhere on disk
- Export a single key as a (optionally encrypted) bundle
- Inspect a key with
fingerprintandinfo - Add / rotate / remove a key's passphrase
- Diagnose your environment with
skm doctor - Audit stored keys for weak strength, missing passphrases, and age with
skm audit - Publish a public key to GitHub, GitLab, or Bitbucket with
skm publish - Soft-delete to a recoverable trash, with
skm trash list|restore|empty - Prompt UI (with fuzzy search) for SSH key selection across multiple commands
- Customized SSH key store path
- Pluggable hooks on
post-use,post-create,pre-delete,post-copyevents (per-key and global)
Starting from v0.8.9, skm has been officially submitted to the homebrew-core repository, so you can install it directly on both macOS and Linux:
brew install skmIf you previously installed
skmthrough the old tap, please remove it first to avoid conflicts:brew uninstall skm brew untap timothyye/tap brew install skm
go get github.com/TimothyYe/skm/cmd/skmDownload it from releases and extact it to /usr/bin or your PATH directory.
% skm
SKM V0.8.8
https://github.com/TimothyYe/skm
NAME:
SKM - Manage your multiple SSH keys easily
USAGE:
skm [global options] command [command options] [arguments...]
VERSION:
0.8.8
COMMANDS:
init, i Initialize SSH keys store for the first time use.
create, c Create a new SSH key.
ls, l List all the available SSH keys.
use, u Set specific SSH key as default by its alias name.
delete, d Delete specific SSH key by alias name.
rename, rn Rename SSH key alias name to a new one.
copy, cp Copy SSH public key to a remote host.
display, dp Display the current SSH public key or specific SSH public key by alias name.
backup, b Backup all SSH keys to an archive file.
restore, r Restore SSH keys from an existing archive file.
import, im Import an existing SSH key pair (or an skm export bundle) into the store.
export, ex Export a single key as a tar.gz bundle (optionally encrypted).
fingerprint, fp Print the SHA256 fingerprint of an SSH key.
info, in Show detailed information about an SSH key.
passphrase, pp Add, rotate, or remove the passphrase on an SSH key.
publish, pub Upload an SSH public key to GitHub, GitLab, or Bitbucket.
doctor, dr Run diagnostics against the SKM environment, agent, and stored keys.
audit, au Audit stored keys for weak strength, missing passphrases, and age.
cache Add your SSH to SSH agent cache via alias name.
help, h Shows a list of commands or help for one command.
GLOBAL OPTIONS:
--store-path value Path where SKM should store its profiles (default: "/Users/timothy/.skm")
--ssh-path value Path to a .ssh folder (default: "/Users/timothy/.ssh")
--restic-path value Path to the restic binary
--help, -h show help
--version, -v print the versionYou should initialize the SSH key store for the first time use:
% skm init
✔ SSH key store initialized!So, where are my SSH keys?
SKM will create SSH key store at $HOME/.skm and put all the SSH keys in it.
NOTE: If you already have id_rsa & id_rsa.pub key pairs in $HOME/.ssh, SKM will move them to $HOME/.skm/default
Supported key types: ed25519 (default), rsa, ed25519-sk, ecdsa-sk. The
-sk variants are FIDO2 hardware-backed keys and require ssh-keygen 8.2+
plus a security key (YubiKey, Solo, etc.) plugged in at creation time.
% skm create prod -C "abc@abc.com"
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/timothy/.skm/prod/id_ed25519.
Your public key has been saved in /Users/timothy/.skm/prod/id_ed25519.pub.
...
✔ SSH key [prod] created!Other examples:
skm create old -t rsa -b 4096 # RSA (minimum 3072 bits enforced)
skm create yubi -t ed25519-sk # hardware-backed; prompts for PIN + touchRSA keys below 3072 bits are rejected — skm audit flags those as weak, so
create and audit agree on what's safe. Use ssh-keygen directly if you
need a smaller key for testing.
By default ls shows alias, key type, and comment in three columns; the
active default key is marked with ->. Use -l / --long for the full table
with bits, fingerprint, agent status, and the modification date.
% skm ls
✔ Found 3 SSH key(s)!
-> default [ssh-ed25519] [work@laptop]
dev [ssh-ed25519] [dev]
prod [ssh-rsa] [prod]
% skm ls -l
✔ Found 3 SSH key(s)!
ALIAS TYPE BITS FINGERPRINT AGENT CREATED COMMENT
* default ed25519 256 SHA256:pFsC7J7L9L08f3w8uP6ozRaGW5Dg8CdEkP8iVj7++pw yes 2026-05-16 work@laptop
dev ed25519 256 SHA256:7dFJEj7WGAL8rn9AqLNYdoTQrqgv00kdnqJlufvxgg4 - 2026-05-12 dev
prod rsa 4096 SHA256:DEyhI38hQ5WYABdx9SrJuhqrIyLvfRcZTtzXARuyn0k - 2026-05-01 prodOther useful flags:
skm ls -q # quiet — just the alias names, default marked with ->
skm ls --json # machine-readable output for scripting
skm ls -t ed25519 # filter by key type% skm use dev
Now using SSH key: devYou can just type skm use, then a prompt UI will help you to choose the right SSH key:
% skm displayOr display specific SSH public key by alias name:
% skm display prod% skm delete prod
Please confirm to delete SSH key [prod] [y/n]: y
✔ SSH key [prod] moved to trash (restore with: skm trash restore prod-20260521150412)By default a delete moves the alias into the store's trash so it can be recovered. Pass multiple aliases to batch-delete; missing aliases are reported and skipped. -y / --yes skips the confirmation, --purge hard-deletes (skipping the trash):
% skm delete -y staging legacy old-laptop
% skm delete --purge --yes ancient% skm trash list
NAME ALIAS DELETED
prod-20260521150412 prod 2026-05-21 15:04:12
% skm trash restore prod-20260521150412
✔ Restored [prod-20260521150412] as alias [prod]You can pass either the trash entry name (prod-20260521150412) or just the alias (prod); the latter works when only one trashed entry matches. If the original alias is already taken, pass --as <new-alias>. Empty the trash with skm trash empty (prompts for confirmation; -y to skip).
By default the currently active key is pushed:
% skm cp timothy@example.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/timothy/.skm/default/id_rsa.pub"
...
✔ SSH key copied to remote hostUseful flags:
skm cp --key work timothy@example.com # push a specific key, not the default
skm cp --pick timothy@example.com # interactively choose the key
skm cp -p 2222 timothy@example.com # non-default SSH port
skm cp timothy@[2001:db8::1]:2222 # IPv6 hosts work too
skm cp --dry-run timothy@example.com # preview the ssh-copy-id command% skm rn test tmp
✔ SSH key [test] renamed to [tmp]Backup all your SSH keys to a tarball in $HOME.
% skm backup
a .
a ./default/id_rsa
a ./default/id_rsa.pub
…
✔ All SSH keys backup to: /Users/timothy/skm-20260521221544.tar.gz
⚠ This bundle contains UNENCRYPTED private keys. If it leaves this
machine, anyone with the file can use your keys. Re-run with
--encrypt to produce an encrypted archive.The default tar contains your private keys in the clear. To produce an
encrypted bundle (AES-256-CBC via openssl, same envelope as skm export --encrypt), pass --encrypt:
% skm backup --encrypt
enter AES-256-CBC encryption password:
Verifying - enter AES-256-CBC encryption password:
✔ All SSH keys backup to: /Users/timothy/skm-20260521221544.tar.gz.enc
Decrypt with: openssl enc -d -aes-256-cbc -pbkdf2 -in /Users/timothy/skm-20260521221544.tar.gz.enc -out skm-20260521221544.tar.gzFor scripted use, pass --password-file <path> to read the passphrase from a
file instead of prompting.
If you have restic installed, SKM can use it to produce encrypted, deduplicated, snapshot-style backups that can target local disk, S3, Cloudflare R2, Backblaze B2, SFTP, and any other backend restic supports. Run the one-time interactive setup first:
% skm backup --restic --init
Configuring restic backup for SKM.
Examples:
Local: /Users/me/.skm-backups
S3: s3:s3.amazonaws.com/my-bucket/skm
R2: s3:https://<account>.r2.cloudflarestorage.com/my-bucket/skm
SFTP: sftp:user@host:/data/skm
B2: b2:my-bucket/skm
For S3, R2, and B2, set the relevant credential env vars (e.g.
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) before running backup.
✔ Restic repository initialized at s3:https://abc.r2.cloudflarestorage.com/skm
⚠ IMPORTANT: store the restic password somewhere OTHER than this machine.
If this laptop is lost and the password only lives in ~/.skm-backups.passwd,
the backup will be unrecoverable.Then run repeat backups:
% skm backup --restic
✔ Backup to s3:https://abc.r2.cloudflarestorage.com/skm completeRestic encrypts every chunk client-side before upload, so the remote destination never sees plaintext. The R2/S3 credentials and the restic password are independent secrets — losing the credentials means re-issuing them; losing the restic password means the backup is unrecoverable.
% skm restore ~/skm-20260521221544.tar.gz
✔ All SSH keys restored to /Users/timothy/.skm.enc bundles are auto-detected and decrypted before extraction:
% skm restore ~/skm-20260521221544.tar.gz.enc
enter AES-256-CBC decryption password:
✔ All SSH keys restored to /Users/timothy/.skmFor restic-backed backups, pick a snapshot to restore:
% skm restore --restic --restic-snapshot $SNAPSHOT
✔ Backup restored to /Users/$USER/.skmOmit --restic-snapshot and SKM will list the available snapshots.
Pull an existing key pair from anywhere on disk into the SKM store. The
matching half of the pair is inferred from the .pub suffix; the key type
is detected from the public key's header.
% skm import --alias work ~/old-laptop/.ssh/id_ed25519
✔ Imported ed25519 key as [work]skm import also accepts an skm export bundle (.tar.gz, .tgz, or
.tar.gz.enc). For encrypted bundles, openssl prompts for the passphrase.
% skm import ~/skm-work-20260516193629.tar.gz.enc
enter aes-256-cbc decryption password:
✔ Imported bundle as [work]Useful flags:
skm import --alias newname bundle.tar.gz # rename the alias on the way in
skm import --move ~/old/id_ed25519 # remove the source after a successful copyNote: put
--alias/--movebefore the path argument — flags placed after the path are not parsed, and SKM will error out with a hint if it sees one.
Bundle one alias into a portable archive that you can move to another
machine and import there. The archive contains the private key, the public
key, and any hook file under that alias.
% skm export work
✔ Exported [work] to /Users/timothy/skm-work-20260516193629.tar.gzAdd --encrypt to wrap the bundle with openssl enc -aes-256-cbc -pbkdf2,
which prompts for a passphrase:
% skm export --encrypt work
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
✔ Exported [work] to /Users/timothy/skm-work-20260516193629.tar.gz.encYou can also specify the output path:
skm export -o /tmp/work.tar.gz work% skm fingerprint work
SHA256:pFsC7J7L9L08f3w8uP6ozRaGW5Dg8CdEkP8iVj7++pw
% skm info work
Alias work
Default yes
Type ed25519
Bits 256
Fingerprint SHA256:pFsC7J7L9L08f3w8uP6ozRaGW5Dg8CdEkP8iVj7++pw
Comment work@laptop
In agent yes
Private /Users/timothy/.skm/work/id_ed25519
Public /Users/timothy/.skm/work/id_ed25519.pub
Modified 2026-05-16 19:56:07Both commands default to the active key when no alias is given.
skm passphrase wraps ssh-keygen -p. Use an empty new passphrase at the
prompt to remove the existing one.
% skm passphrase work
Updating passphrase for [work] (/Users/timothy/.skm/work/id_ed25519)
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
✔ Passphrase updated for [work]skm doctor walks through the most common environment problems — missing
SSH binaries, an unreachable ssh-agent, unwritable store paths, the
default key not resolving, RSA keys below 3072 bits, public/private files
with loose permissions, or hook scripts missing the executable bit.
% skm doctor
✔ ssh-keygen available
✔ ssh-add available
✔ ssh-copy-id available
✔ ssh-agent reachable with identities loaded
✔ /Users/timothy/.skm writable (mode -rwxr-xr-x)
✔ /Users/timothy/.ssh writable (mode -rwxr-xr-x)
✔ default key [work] resolves to /Users/timothy/.skm/work/id_ed25519
✔ private key id_ed25519 mode -rw-------
✔ key [work] ed25519/256
✔ hook for [work] is executable
10 passed, 0 warning(s), 0 failure(s)skm doctor --json emits the same checks as a JSON array for scripting.
Failures cause a non-zero exit; warnings do not.
Where doctor inspects the environment, skm audit (alias au) inspects the
keys themselves. It walks every key in the store and reports:
- RSA keys below
--rsa-min(default 3072) — failure - Private keys with no passphrase — warning
- Keys older than
--max-age(default1y, acceptsNd|Nw|Nm|Ny) — warning
% skm audit
[legacy]
✖ strength: RSA-1024 is below the 3072-bit minimum
hint: Rotate with `skm create legacy -t ed25519` (or RSA >= 3072)
! passphrase: private key is not protected by a passphrase
hint: Add one with `skm passphrase legacy`
! age: key is 2y old (threshold 1y)
hint: Consider rotating with `skm create` + `skm copy`
1 clean, 0 with warnings, 1 with failures (of 2 key(s))Flags:
--json— emit findings as a JSON array for tooling--strict— promote warnings to failures (useful in CI)--max-age <duration>— override the age threshold (e.g.30d,6m)--rsa-min <bits>— override the minimum acceptable RSA key size
Audit exits non-zero on any failure-level finding; warnings alone return 0
unless --strict is set.
skm publish (alias pub) uploads a public key to a Git hosting provider
via its API, so you don't need to copy-paste into the web UI. The currently
active key is used when no alias is given.
% skm publish work --github
✔ published [work] to github as "skm-work-laptop-20260524"
% skm publish work --gitlab --url https://gitlab.internal
% skm publish work --bitbucket --user alice
% skm publish --github --dry-run # preview without uploadingOnly the public key is ever read; the private key is never touched.
Resolution order (per provider):
--token <token>flag- Environment variable
- GitHub:
$SKM_GITHUB_TOKEN,$GITHUB_TOKEN,$GH_TOKEN - GitLab:
$SKM_GITLAB_TOKEN,$GITLAB_TOKEN,$GL_TOKEN - Bitbucket:
$SKM_BITBUCKET_TOKEN,$BITBUCKET_TOKEN
- GitHub:
- CLI fallback (only when no token was found above)
- GitHub:
gh auth token(requiresgh auth login; needs scopeadmin:public_key) - GitLab:
glab auth token - Bitbucket: none — use a Bitbucket app password (scope: Account: Write)
- GitHub:
If your existing gh session is missing the required scope:
gh auth refresh -s admin:public_keyPass --url to point at GitHub Enterprise or a self-hosted GitLab:
skm publish work --github --url https://github.example.com/api/v3
skm publish work --gitlab --url https://gitlab.example.compublish lists the keys already on the provider and compares them to the
local one by canonical form (type + base64, ignoring trailing comments). A
duplicate prints a notice and exits 0 — re-running the command is safe:
% skm publish work --github
✔ [work] already published on github as "skm-work-laptop-20260520"Defaults to skm-<alias>-<hostname>-<YYYYMMDD> so the entry is identifiable
in the provider's UI later. Override with --title:
skm publish work --github --title "tims-macbook"You can use cache command to cache your SSH key into SSH agent's cache via SSH alias name.
Cache your SSH key
λ tim [~/]
→ skm cache --add my
Enter passphrase for /Users/timothy/.skm/my/id_rsa:
Identity added: /Users/timothy/.skm/my/id_rsa (/Users/timothy/.skm/my/id_rsa)
✔ SSH key [my] already added into cacheRemove your SSH key from cache
λ tim [~/]
→ ./skm cache --del my
Identity removed: /Users/timothy/.skm/my/id_rsa (MyKEY)
✔ SSH key [my] removed from cacheList your cached SSH keys from SSH agent
λ tim [~/]
→ ./skm cache --list
2048 SHA256:qAVcwc0tdUOCjH3sTskwxAmfMQiL2sKtfPBXFnUoZHQ /Users/timothy/.skm/my/id_rsa (RSA)By default, SKM uses $HOME/.skm as the default path of SSH key store.
You can define your customized key store path in your ~/.bashrc or ~/.zshrc by adding:
SKM_STORE_PATH=/usr/local/.skmSKM fires hook scripts around key-lifecycle events. Hooks are ordinary executables (binary or script) that you drop into a known location; SKM picks them up automatically.
| Event | When it fires | Failure behavior |
|---|---|---|
post-use |
After switching the default SSH key | Best-effort (warning only) |
post-create |
After skm create succeeds |
Best-effort (warning only) |
pre-delete |
After you confirm a delete, before removal | Non-zero exit aborts the delete |
post-copy |
After skm copy (ssh-copy-id) succeeds |
Best-effort (warning only) |
Two scopes; both fire (global first, then per-key):
~/.skm/hooks/<event> # global — runs for any alias
~/.skm/<alias>/hooks/<event> # per-key — runs only for that aliasFor example:
~/.skm/hooks/pre-delete # global guard for every delete
~/.skm/work/hooks/post-use # only when switching to "work"
~/.skm/prod/hooks/post-copy # only after copying the "prod" keyThe legacy ~/.skm/<alias>/hook file is still honored as a post-use hook for backward compatibility.
Don't forget to make scripts executable:
chmod +x ~/.skm/work/hooks/post-useEvery hook receives these in its environment:
| Variable | Description |
|---|---|
SKM_EVENT |
The event name (post-use, pre-delete, …) |
SKM_ALIAS |
The alias name (also passed as $1) |
SKM_STORE_PATH |
The SKM store path |
SKM_SSH_PATH |
The user's ~/.ssh path |
SKM_KEY_TYPE |
rsa, ed25519, … |
SKM_PRIVATE_KEY |
Absolute path to the private key |
SKM_PUBLIC_KEY |
Absolute path to the public key |
Event-specific extras:
| Event | Extra variables |
|---|---|
post-copy |
SKM_REMOTE_HOST, SKM_REMOTE_PORT |
#!/bin/bash
# ~/.skm/work/hooks/post-use
git config --global user.name "Your Work Name"
git config --global user.email "you@work.example.com"#!/bin/sh
# ~/.skm/hooks/post-copy
echo "$(date -Iseconds) $SKM_ALIAS -> $SKM_REMOTE_HOST:${SKM_REMOTE_PORT:-22}" \
>> ~/.skm/deployments.log#!/bin/sh
# ~/.skm/prod/hooks/pre-delete — non-zero exit aborts the delete
echo "Refusing to delete production key. Remove this hook first." >&2
exit 1skm hook ls # global hooks
skm hook ls <alias> # global + per-key for one alias
skm hook ls --all # global + per-key for every alias