keychain
Keychain is a Python-based SSH and GPG agent manager that consolidates multiple agent instances into a single, reusable session per host. It simplifies key management for login shells, cron jobs, and remote sessions by providing a clean command interface and configuration file support.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | danielrobbins/keychain |
| Owner | danielrobbins |
| Primary language | Python |
| License | GPL-3.0 — OSI-approved |
| Stars | 1k |
| Forks | 124 |
| Open issues | 7 |
| Latest release | 3.0.0_beta3 (2026-07-08) |
| Last updated | 2026-07-08 |
| Source | https://github.com/danielrobbins/keychain |
What keychain is
Keychain 3 is a Python 3.9+ zipapp (no external dependencies) that wraps ssh-agent, ssh-add, and gpg-agent, managing agent lifecycle and key persistence across shell sessions. It uses ~/.keychainrc for configuration and exports shell-sourceable environment files to ~/.keychain/ for agent reuse, with backward compatibility for 2.x command syntax.
Get the keychain source
Clone the repository and explore it locally.
git clone https://github.com/danielrobbins/keychain.gitcd keychain# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Install zipapp to PATH and add eval invocation to shell startup (~/.bashrc, ~/.zshrc, etc.). Minimal initial setup; review ~/.keychainrc schema via embedded help.
- Verify Python 3.9+ availability on target systems; older Python will auto-detect and re-exec if newer python3.NN exists on PATH.
- Existing 2.x scripts remain compatible via explicit compatibility layer, allowing phased migration to clearer 3.x action-oriented commands.
- Configure agent behavior (TTL, passphrase timeout) via ~/.keychainrc [agent.ssh] and [agent.gpg] sections rather than ambient KEYCHAIN_* env vars.
- Audit zipapp contents with unzip before deployment; no obfuscation, source fully inspectable.
When to avoid it — and what to weigh
- Closed-source or proprietary agent tooling required — Keychain wraps standard POSIX agents (ssh-agent, gpg-agent). If your environment requires proprietary agent backends, Keychain cannot abstract them.
- Windows native (non-WSL) environments — Targets POSIX-shaped systems. Native Windows deployments would require WSL or alternative Windows SSH/GPG agent tools.
- Python < 3.9 runtime constraints — Requires Python 3.9 or newer with no fallback mechanism for older interpreters (except automatic re-exec if newer python3.NN is found on PATH).
- Centralized, networked key management — Keychain is host-local agent management. If you need centralized key distribution or rotation across many machines, consider dedicated secrets management solutions.
License & commercial use
GPLv3 (GNU General Public License v3.0). This is a copyleft license requiring derivative works and distributions to remain open-source under the same terms. Keychain 2.x releases remain under GPLv2.
Commercial use of Keychain is permitted under GPLv3, but any modifications or bundled distributions must be released under GPLv3 with source code available to recipients. Consult legal counsel if integrating into proprietary products or redistributing as a binary artifact. Using unmodified Keychain as an operational tool does not trigger redistribution obligations.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Keychain manages SSH and GPG keys in memory via standard system agents; security properties depend on underlying ssh-agent and gpg-agent implementations, not Keychain itself. Keychain does not store or encrypt keys—it only manages agent lifecycle and key loading. Zipapp is source-auditable (unzip-inspectable). Consider passphrase entry method (pinentry for GPG), agent socket file permissions, and host-local attack surface. GPLv3 ensures code transparency. No external dependencies reduce supply-chain risk. Unknown: whether Keychain has undergone security audit or has known advisories.
Alternatives to consider
ssh-agent and gpg-agent directly
Avoid Keychain entirely and manage agents manually. More control, no additional abstraction layer, but more verbose scripting and higher risk of duplicate agents and stale sockets.
pass or gopass
Encrypted password/secret manager with GPG backend. Better suited for secret storage and rotation; less suitable for agent session management and SSH key consolidation.
Enterprise-grade secrets management with network access, audit trails, and role-based access. Overkill for single-host agent management; requires centralized infrastructure and different operational model.
Build on keychain with DEV.co software developers
Evaluate Keychain for your team's SSH/GPG agent needs. Download the zipapp, test in a non-production environment, and review the embedded documentation. For enterprise deployments, consult legal on GPLv3 obligations and conduct your own security assessment.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
keychain FAQ
Will my old Keychain 2.x shell scripts still work?
Do I need to install Python separately?
Can I use Keychain in cron jobs?
Is Keychain secure? Can I audit it?
Work with a software development agency
DEV.co helps companies turn open-source tools like keychain into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Ready to simplify your key management?
Evaluate Keychain for your team's SSH/GPG agent needs. Download the zipapp, test in a non-production environment, and review the embedded documentation. For enterprise deployments, consult legal on GPLv3 obligations and conduct your own security assessment.