Skip to content

Instantly share code, notes, and snippets.

@degensean

degensean/use-keepass-keeagent-ssh-keys-inside-wsl2.md

Last active November 23, 2025 21:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save degensean/bb505052d30d9a1151c0c4b2c81826cd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save degensean/bb505052d30d9a1151c0c4b2c81826cd to your computer and use it in GitHub Desktop.
Download ZIP
Use KeePass (KeeAgent) ssh keys inside WSL2
Raw
use-keepass-keeagent-ssh-keys-inside-wsl2.md

To use your KeePass (KeeAgent) keys inside WSL Ubuntu without copying the private key files, you need to bridge the communication between the Windows side (where KeeAgent is running) and the Linux side (WSL).

We will use a tool called npiperelay and a utility called socat to forward the SSH "socket" from Windows to Linux.

Note: Your KeePass (KeeAgent) has to be working normally on Windows before you proceed.

Step 1: Configure KeeAgent

First, we need to ensure KeeAgent is exposing the keys via a method npiperelay can understand. The easiest way is to make KeeAgent emulate the Windows OpenSSH agent.

  1. Open KeePass and go to Tools > KeeAgent Options.
  2. Check the box: Enable agent for Windows OpenSSH (Create/Use named pipe \\.\pipe\openssh-ssh-agent).
    • Note: If this is grayed out, you may need to stop the native Windows OpenSSH Authentication Agent service in Windows Services, but usually, KeeAgent can handle it.
  3. Click OK.

Step 2: Install socat in WSL

Open your WSL Ubuntu terminal and install the socket handling tool:

sudo apt update
sudo apt install socat

Step 3: Download npiperelay

This is a Windows executable that bridges the connection.

  1. Go to the npiperelay releases page on GitHub.
  2. Download the npiperelay_windows_amd64.zip.
  3. Extract npiperelay.exe.
  4. Move this file to a location your WSL can access easily. A good practice is to put it in your Windows user folder, or verify you can access it from WSL.
    • Example: Let's assume you put it in C:\tools\npiperelay.exe.
    • In WSL, this path is accessible at /mnt/c/tools/npiperelay.exe.

Step 4: Configure your Shell (.bashrc)

You need to tell WSL to create a bridge every time you open a terminal.

  1. Edit your configuration file:

    nano ~/.bashrc

  2. Add the following lines to the bottom of the file.

    • Important: Replace /mnt/c/tools/npiperelay.exe with the actual path where you saved the .exe file in Step 3.
    # Configure SSH Authentication to bridge to Windows KeeAgent
export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock

# Check if the socket exists, if not, create the bridge
ss -a | grep -q $SSH_AUTH_SOCK
if [ $? -ne 0 ]; then
    rm -f $SSH_AUTH_SOCK
    (setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"/mnt/c/tools/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork &) >/dev/null 2>&1
fi

  3. Save and exit (Ctrl+O, Enter, Ctrl+X).

  4. Reload the configuration:

    source ~/.bashrc

Step 5: Verify the Connection

  1. Run the following command in WSL to see if it can "see" the keys from KeePass:

    ssh-add -l
    • Success: You should see the list of fingerprints for the keys currently loaded in KeePass.
    • Failure: If it says "Could not open a connection to your authentication agent," check the path to npiperelay.exe in your script.

  2. Test the connection to GitHub:

    ssh -T git@github.com

    You should receive a greeting: "Hi [username]! You've successfully authenticated..."

Summary of How it Works

  1. WSL (via socat) creates a Linux socket file (~/.ssh/agent.sock).
  2. When you run ssh in Ubuntu, it sends data to this file.
  3. npiperelay.exe picks up that data and translates it to the Windows "Named Pipe" format.
  4. KeeAgent receives the request on the Windows side, signs the data using your SSH key, and sends it back.
  5. Result: Authentication happens without the private key ever leaving the secure KeePass memory on Windows.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment