# How to set up `derivepassphrase vault` with an SSH key
## Prerequisites
!!! abstract "See also"
→ Tradeoffs between a master passphrase and a master SSH key (TODO)
1. [A running SSH agent; typically provided by OpenSSH or
PuTTY.](#prereq-ssh-agent)
2. [A Python installation that can talk to the SSH
agent.](#prereq-python-support)
3. [A supported SSH key; typically an RSA, Ed25519 or Ed448
key.](#prereq-ssh-key)
### A running SSH agent { #prereq-ssh-agent }
Install an SSH agent, which is usually part of an SSH client
distribution. `ssh-agent` from [OpenSSH][], Pageant from [PuTTY][] and
`gpg-agent` (v2) from [GnuPG][] are known to work. If in doubt, choose
OpenSSH.
??? note "Agent-specific features"
* OpenSSH's `ssh-agent` supports limiting the time the agent holds
the key in memory ("key lifetime"). Such usage is *recommended*.
* `ssh-agent` and GnuPG's `gpg-agent` support requiring confirmation
upon each use for a specific key. Such usage is *also
recommended*.
??? note "Other agent-specific notes"
=== "GnuPG/`gpg-agent`"
* `gpg-agent` v2.0 and later uses a *persistent* database of
known keys, SSH or otherwise. "Adding" a key to the agent
actually means *importing* it, and requires choosing an
"import passphrase" to protect the key on disk, in the
persistent database. `gpg-agent` will cache the import
passphrase in memory, and if that cache entry expires, then
the *import passphrase* must be provided to unlock the key.
* As a design consequence, `gpg-agent` always lists all known
SSH keys as available in the agent. It is impossible to
remove an SSH key from `gpg-agent` using standard SSH agent
operations.
### A Python installation that can talk to the SSH agent { #prereq-python-support }
On non-Windows operating systems, your Python installation must support
UNIX domain sockets (the `socket.AF_UNIX` symbol). The SSH agent must
expose its communication socket via the `SSH_AUTH_SOCK` environment
