Tip #2 — Use 1Password for SSH and git auth

The rule

If you're pushing to a git host (GitHub, GitLab, your company's Gitea — any of them), use 1Password's SSH agent instead of a raw key on disk. The private key never leaves the vault, every signature requires a biometric prompt, and you get a record of when each key was used.

A key sitting unencrypted in ~/.ssh/id_ed25519 is one stolen laptop, one exfiltrating npm package, or one curious teammate away from being lifted. 1Password replaces "trust the filesystem" with "trust the secure enclave."

Setup, briefly

1. Turn on the SSH agent in 1Password (Settings → Developer → Use the SSH agent). Optional but recommended: enable "Authorize with biometrics."
2. Point your shell at the 1Password agent socket. On macOS:

   # ~/.ssh/config
   Host *
     IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
   

3. Create a new SSH key directly in 1Password (Items → New → SSH Key) and add the public half to GitHub / GitLab / wherever. You won't ever see the private half on disk — that's the point.
4. Verify:

   ssh-add -l         # should list the key from 1Password
   ssh -T git@github.com
   

Sign your git commits with the same key

Since git 2.34 you can sign commits with an SSH key — same key 1Password is already managing. No GPG required.

git config --global gpg.format ssh
git config --global user.signingkey 'key::ssh-ed25519 AAAAC3... user@host'
git config --global commit.gpgsign true
git config --global tag.gpgsign true

In 1Password, open the key item and copy "Public Key" — that's the value for user.signingkey (prefixed with key::). Add the same public key to your GitHub account under SSH and GPG keys → New SSH key → Signing key, and your commits will show as Verified.

One key, three jobs: pushing code, pulling code, signing commits. One biometric prompt protects all of them.

Stretch goals: do the same for secrets

The same logic applies to API tokens. Stop writing OPENAI_API_KEY=sk-... into a .env file you forget about. The 1Password CLI (op) injects secrets at command-runtime:

# In your .env (committed-safe — only references, not values):
OPENAI_API_KEY="op://Dev/OpenAI/api-key"

# Run any command with secrets resolved from the vault:
op run --env-file=.env -- pnpm dev

No plaintext token on disk, no token in shell history. When you rotate the secret in 1Password, every machine picks it up on the next op run.

When this breaks

• CI runners — they can't prompt for Touch ID. Use a dedicated deploy key or a short-lived OIDC token there; the 1Password agent is for humans.
• Remote dev (SSH'd into a server) — agent forwarding works (ForwardAgent yes), but think hard before doing it. You're letting that remote host sign on behalf of your key.
• Linux — same flow works, the socket path is just different. The 1Password Linux app exposes it under ~/.1password/agent.sock.

TL;DR

1. Move your SSH keys into 1Password and switch to its SSH agent.
2. Enable biometric authorization — every git push asks for Touch ID.
3. Reuse the same key for signed commits with gpg.format = ssh.
4. Bonus: use op run so API tokens are vault references, not plaintext.