Key use stays per-request and under approval.
The private key is decrypted for a single signing request and zeroed again immediately after use.
$SSH_AUTH_SOCK
SSH Agent Protocol (RFC 4253)
When it fits
Use the agent path when signing should stay short-lived and auditable.
Per-request signing
Decrypt the key only for the current SSH signing request.
Explicit approval
Keep a human in the loop before the signature is produced.
Zeroed memory
Clear key material immediately after release so it does not linger in memory.
Key lifecycle
The private key is decrypted per signing request and zeroed immediately after. No long-lived cache.
Vault
The SSH key stays encrypted at rest inside the vault.
Decrypt
ChromVoid decrypts the key only for the signing request.
Sign
The user approves the request and the signature is produced.
Release
Key material is zeroed in memory immediately after use.
Security boundaries
No disk key files
The agent does not leave unencrypted key files lying around on disk.
No long-lived cache
There is no persistent cache between signing requests.
Explicit approval
Signing stays gated by a deliberate user action.
Limits and scope
The agent is intentionally simple and local.
- It focuses on a single signing lifecycle rather than general SSH orchestration.
- The key is decrypted per request, not kept hot in memory.
- Remote key services and multi-hop orchestration stay future scope.
- The threat model page is the current source of truth for scope and boundaries.
Not a key daemon farm
The agent is a local approval path for a vault-backed SSH key.
Keep SSH signing inside a local vault-backed approval loop.
The key appears only for the request, then gets zeroed again immediately afterward.