Your keys never touch the filesystem.
Private keys stay in the encrypted vault. Signing happens per-request with an approval prompt. When the vault locks, the agent forgets everything — no long-lived key cache.
$SSH_AUTH_SOCK
SSH Agent Protocol (RFC 4253)
Practical workflows
Vault-backed key storage with per-request signing — here is what that looks like in practice.
Git push without key files on disk
Point your SSH client at the ChromVoid agent socket. The private key stays in the vault alongside your other secrets — no unencrypted file ever lands in `~/.ssh`.
Approve every signature
Each signing request triggers an approval prompt. No process on your machine gets a silent, permanent pass to use your key.
Upstream agent passthrough
Keys outside ChromVoid stay outside ChromVoid. Unrecognized requests are proxied to the system agent — no pretense of owning every identity on the machine.
Key lifecycle
The private key is decrypted per signing request and zeroed immediately after. No long-lived cache.
Vault-backed key storage
Import or generate SSH keys inside the vault. Private material is encrypted at rest — no plaintext files in your home directory.
Local socket, standard protocol
The agent exposes a stable local socket. `ssh` and `git` use standard SSH-agent protocol — no custom config, no wrappers.
Per-request key load
The private key is decrypted for each signing request and released immediately after. No long-lived key cache in the agent process.
Security boundaries
Desktop-only scope
v1 targets macOS and Linux via Unix domain sockets. Mobile and Windows named-pipe support are not shipped.
Lock revokes all identities
When the vault locks, the agent drops every loaded identity. No stale session continues to sign on your behalf.
Approval over silent convenience
Explicit approval and local audit trail take priority. The agent does not default to signing for every process that asks.
Limits and prerequisites
Honest constraints — this page is the current source of truth for scope and boundaries.
- This feature is still in draft. This page describes design intent and current boundaries, not a finished specification.
- Windows named-pipe support is future scope. It is not a v1 deliverable.
- ChromVoid does not replace the system agent. Keys that live outside the vault stay managed by the OS.
What this is not
Not a universal SSH agent for every platform. Not a replacement for your existing system agent. A vault-first desktop tool with explicit scope limits.
SSH keys deserve the same security model as your other secrets
Start with the local-first vault. Review the current SSH-agent boundaries before adding it to your daily workflow.