Set up KeePass with KeeAgent on Linux

When migrated my workstation to Linux, one important tool was the password manager. I use KeePass, so there are two options around:

I tried both. On KDE, KeePassX integrates nicer into the Linux desktop while KeePass on Mono looks and feels a bit foreign. But the lack of features like auto open and plugins made me ditch KeePassX quite fast. Two important plugins for me are KeePassHttp, which integrates KeePass with Chrome as password manager, and KeeAgent which automatically registers SSH Keys with passphrases at a running SSH Agent.

Setting up KeeAgent was a bit tricky and all instructions I found on the internet were incomplete, so I’ll share how I did it (on Arch Linux with keepass-plugin-keeagent-beta 0.9.1-1). There are two ways to use the plugin: as client for an existing SSH agent or as standalone SSH agent. I choose client mode to always have an SSH agent available.

Register a systemd service to run ssh-agent on startup

  1. Add the following line to ~/.bashrc (or another script that runs on startup)
    export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"

    This way we’ll always have the environment variable for the socket available. We will use this fixed socket in the service below.

  2. Create a file ~/.config/systemd/user/ssh-agent.service
    Description=SSH key agent
    ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
    ExecStartPost=/bin/sh -c "/usr/bin/ps --no-headers -o pid -C ssh-agent | sed 's/^ /export SSH_AGENT_PID=/' > ~/"
    ExecStartPost=/bin/sh -c "echo export SSH_AUTH_SOCK=$SSH_AUTH_SOCK >> ~/"
    ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK}
    #ExecStop=/usr/bin/ssh-agent -k
    ExecStopPost=/bin/rm ${SSH_AUTH_SOCK}

    I used these configurations as example:

    The difference is that I extract the process id and write it to a file ~/ I could not make the environment variable SSH_AGENT_PID globally available, but we’ll need it later.

  3. Enable and start service
    systemctl --user enable ~/.config/systemd/user/ssh-agent.service
    systemctl --user start ssh-agent

Set up KeePass

  1. In the shortcut to start KeePass (the desktop icon), change the executable from


    source ~/ && keepass

    so that KeePass knows the process id of the SSH agent

  2. In Tools > Options > KeeAgent, set “Agent Mode” to “Client”


Image: (CC-BY 2.0)