# Prerequisites for using `derivepassphrase vault` with an SSH key
Using `derivepassphrase vault` with an SSH key requires:
1. [a running SSH agent](#ssh-agent),
2. [a Python installation that can talk to the SSH
agent](#python-support), and
3. [a supported SSH key.](#ssh-key)
### A running SSH agent { #ssh-agent }
SSH agents are usually packaged as part of SSH client distributions.
`ssh-agent` from [OpenSSH][] and Pageant from [PuTTY][] are known to
work. `gpg-agent` (v2) from [GnuPG][] is also known to work, but comes
with caveats; see notes below.
If in doubt, we recommend OpenSSH because it is the <i>de-facto</i>
canonical SSH agent implementation.
!!! note "Agent-specific features"
* OpenSSH's `ssh-agent` supports limiting the time the agent holds
the key in memory ("key lifetime"). We recommend its usage.
* `ssh-agent` and GnuPG's `gpg-agent` support requiring confirmation
upon each use for a specific key. We recommend its usage as well.
<section markdown id=agent-specific-notes>
!!! note "Other agent-specific notes"
=== "GnuPG/`gpg-agent`"
* `gpg-agent` v2.0 and later uses a *persistent* database of
known keys, SSH or otherwise. "Adding" a key to the agent
actually means *importing* it, and requires choosing an
"import passphrase" to protect the key on disk, in the
persistent database. `gpg-agent` will cache the import
passphrase in memory, and if that cache entry expires, then
the *import passphrase* must be provided to unlock the key.
* The GnuPG distribution does not contain tools to generate
native SSH keys or interactively add keys to a running
`gpg-agent`, because its purpose is to expose keys in
a different format (OpenPGP) to other (agent-compatible) SSH
clients. A third-party tool (such as a full SSH client
distribution) is necessary to load/import native SSH keys into
`gpg-agent`.
* As a design consequence of the persistent database,
`gpg-agent` always lists all known SSH keys as available in
the agent. It is impossible to remove an SSH key from
