DEV.co
Open-Source Security · danielrobbins

keychain

Keychain is a Python-based SSH and GPG agent manager that consolidates multiple agent instances into a single, reusable session per host. It simplifies key management for login shells, cron jobs, and remote sessions by providing a clean command interface and configuration file support.

Source: GitHub — github.com/danielrobbins/keychain
1k
GitHub stars
124
Forks
Python
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorydanielrobbins/keychain
Ownerdanielrobbins
Primary languagePython
LicenseGPL-3.0 — OSI-approved
Stars1k
Forks124
Open issues7
Latest release3.0.0_beta3 (2026-07-08)
Last updated2026-07-08
Sourcehttps://github.com/danielrobbins/keychain

What keychain is

Keychain 3 is a Python 3.9+ zipapp (no external dependencies) that wraps ssh-agent, ssh-add, and gpg-agent, managing agent lifecycle and key persistence across shell sessions. It uses ~/.keychainrc for configuration and exports shell-sourceable environment files to ~/.keychain/ for agent reuse, with backward compatibility for 2.x command syntax.

Quickstart

Get the keychain source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/danielrobbins/keychain.gitcd keychain# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Multi-session SSH/GPG key management on single hosts

Prevent spawning duplicate agents across terminal sessions, cron jobs, and background processes. Ideal for developers and sysadmins who need consistent key access without repeated passphrases.

Remote and containerized environments

Single-file deployment (zipapp) with no runtime dependencies simplifies distribution across restricted or minimal systems, WSL, and container init sequences.

Legacy shell automation migration

Backward-compatible 2.x command syntax allows gradual migration from Bourne shell Keychain to Python 3 without rewriting all existing startup scripts.

Implementation considerations

  • Install zipapp to PATH and add eval invocation to shell startup (~/.bashrc, ~/.zshrc, etc.). Minimal initial setup; review ~/.keychainrc schema via embedded help.
  • Verify Python 3.9+ availability on target systems; older Python will auto-detect and re-exec if newer python3.NN exists on PATH.
  • Existing 2.x scripts remain compatible via explicit compatibility layer, allowing phased migration to clearer 3.x action-oriented commands.
  • Configure agent behavior (TTL, passphrase timeout) via ~/.keychainrc [agent.ssh] and [agent.gpg] sections rather than ambient KEYCHAIN_* env vars.
  • Audit zipapp contents with unzip before deployment; no obfuscation, source fully inspectable.

When to avoid it — and what to weigh

  • Closed-source or proprietary agent tooling required — Keychain wraps standard POSIX agents (ssh-agent, gpg-agent). If your environment requires proprietary agent backends, Keychain cannot abstract them.
  • Windows native (non-WSL) environments — Targets POSIX-shaped systems. Native Windows deployments would require WSL or alternative Windows SSH/GPG agent tools.
  • Python < 3.9 runtime constraints — Requires Python 3.9 or newer with no fallback mechanism for older interpreters (except automatic re-exec if newer python3.NN is found on PATH).
  • Centralized, networked key management — Keychain is host-local agent management. If you need centralized key distribution or rotation across many machines, consider dedicated secrets management solutions.

License & commercial use

GPLv3 (GNU General Public License v3.0). This is a copyleft license requiring derivative works and distributions to remain open-source under the same terms. Keychain 2.x releases remain under GPLv2.

Commercial use of Keychain is permitted under GPLv3, but any modifications or bundled distributions must be released under GPLv3 with source code available to recipients. Consult legal counsel if integrating into proprietary products or redistributing as a binary artifact. Using unmodified Keychain as an operational tool does not trigger redistribution obligations.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Keychain manages SSH and GPG keys in memory via standard system agents; security properties depend on underlying ssh-agent and gpg-agent implementations, not Keychain itself. Keychain does not store or encrypt keys—it only manages agent lifecycle and key loading. Zipapp is source-auditable (unzip-inspectable). Consider passphrase entry method (pinentry for GPG), agent socket file permissions, and host-local attack surface. GPLv3 ensures code transparency. No external dependencies reduce supply-chain risk. Unknown: whether Keychain has undergone security audit or has known advisories.

Alternatives to consider

ssh-agent and gpg-agent directly

Avoid Keychain entirely and manage agents manually. More control, no additional abstraction layer, but more verbose scripting and higher risk of duplicate agents and stale sockets.

pass or gopass

Encrypted password/secret manager with GPG backend. Better suited for secret storage and rotation; less suitable for agent session management and SSH key consolidation.

Enterprise-grade secrets management with network access, audit trails, and role-based access. Overkill for single-host agent management; requires centralized infrastructure and different operational model.

Software development agency

Build on keychain with DEV.co software developers

Evaluate Keychain for your team's SSH/GPG agent needs. Download the zipapp, test in a non-production environment, and review the embedded documentation. For enterprise deployments, consult legal on GPLv3 obligations and conduct your own security assessment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

keychain FAQ

Will my old Keychain 2.x shell scripts still work?
Yes. Keychain 3 includes a compatibility layer for 2.x command syntax. Existing startup snippets will continue to work, though new code should use the clearer 3.x action-oriented commands (e.g., 'keychain add' instead of flat 'keychain ~/.ssh/id_ed25519').
Do I need to install Python separately?
No. Keychain 3 ships as a zipapp (keychain.pyz) with no external runtime dependencies. You only need Python 3.9 or newer already on your system. The zipapp can auto-re-exec into a newer python3.NN if the default is older.
Can I use Keychain in cron jobs?
Yes. Keychain writes reusable agent environment files to ~/.keychain/, which cron jobs can source to attach to the same SSH/GPG agent as your login shell, avoiding repeated passphrase prompts.
Is Keychain secure? Can I audit it?
Keychain delegates key storage and agent management to system ssh-agent and gpg-agent; its security depends on those implementations. The zipapp is fully source-auditable (unzip to inspect). No external dependencies reduce supply-chain risk. However, no public security audit is documented; review security considerations above and assess your threat model.

Work with a software development agency

DEV.co helps companies turn open-source tools like keychain into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Ready to simplify your key management?

Evaluate Keychain for your team's SSH/GPG agent needs. Download the zipapp, test in a non-production environment, and review the embedded documentation. For enterprise deployments, consult legal on GPLv3 obligations and conduct your own security assessment.