# How to set up `derivepassphrase vault` with an SSH key
!!! abstract "See also"
→ Tradeoffs between a master passphrase and a master SSH key (TODO)
## Prerequisites
!!! abstract "Further reading"
→ Full technical details: [Prerequisites for using `derivepassphrase
vault` with an SSH key][PREREQ]
1. A running SSH agent; typically provided by OpenSSH or PuTTY.
2. A Python installation that can talk to the SSH agent.
3. A supported SSH key; typically an RSA, Ed25519 or Ed448 key.
## Configuring `derivepassphrase vault` to use an SSH key
Assuming the prerequisites are satisfied, ensure that the SSH agent is
running, the SSH key is loaded into the agent, and the `SSH_AUTH_SOCK`
environment variable is correctly set up. The exact commands depend on
the SSH agent in use.
=== "OpenSSH"
~~~~ console title="Typical setup commands: starting the agent and setting up SSH_AUTH_SOCK"
$ eval `ssh-agent -s`
Agent pid 12345
~~~~
(The process ID emitted above is helpful for signalling the agent
later, e.g. for termination.)
~~~~ console title="Typical setup commands: loading the key into the agent, with 900s timeout and requiring confirmation"
$ ssh-add -t 900 -c ~/.ssh/my-vault-ed25519-key
Enter passphrase for /home/user/.ssh/my-vault-ed25519-key (will confirm each use):
Identity added: /home/user/.ssh/my-vault-ed25519-key (vault key)
Lifetime set to 900 seconds
The user must confirm each use of the key
~~~~
(Your key filename and key comment will likely differ.)
=== "PuTTY"
~~~~ console title="Typical setup commands: starting the agent and loading the key"
$ eval `pageant -T ~/.ssh/my-vault-ed25519-key.ppk`
Enter passphrase to load key 'vault key':
~~~~
