The most secure way to login to a remote machine and copy files to and from it, is by using SSH keys (normally RSA).

Managing these keys, between multiple servers and especially between development machines can become cumbersome. There is also the security threat of leaving keys lying around on machines.

A great way to not have keys as files on local disk is using the unix ssh-agent program. Tools like ssh, rsync and scp read from the ssh-agent when trying to access a server, and will try each key until a valid key is found. This happens quickly and delays trying keys are not observable to a user.

The pk ssh-add command is used to download any ssh keys securely and add them to the local running ssh-agent. After which you can run ssh, rsync or scp normally and the ssh-agent will make the key available to them.


pk ssh-add -s personal -n mykey,myclient-key1 -p
This command will download the ssh keys "mykey" and "myclient-key1", and then add them to the ssh-agent.

To remove the keys run:

 ssh-add -D

This will remove all keys from the local ssh-agent.

Formats and Types

Keys must be PEM encoded, and can be RSA (PKCS1, or PKCS8) or ECDSA. Keys can also be password protected themselves. When the pk ssh-add command reads a password protected key, it will prompt for the key's password, to decrypt it for the ssh-agent.


We assume you have:

Use case

We are going to walk you though an example where we setup an AWS server with a private RSA key. We'll add this key to our pkhub "Pub/Priv Keys", and show you how to run the pk ssh-add command to add this key to the local ssh-agent. Finally we'll show how to ssh into the AWS server using the ssh-agent.

Here we use AWS, but this can be applied to any cloud provider and or any self managed servers, even your local dev laptops.

Step 1: Setup

  • Create the key in AWS

  • Create the aws server, with the ssh key assigned
  • Create the PK Hub Pub/Priv Key entry

Step 2: Run the pk ssh-add command

You can now add the private key using the PK CLI.

The pk ssh-add" command can download any private keys from your pkhub safe and add it to the local ssh agent.
pk shh-add -s myorg -n mydev -p

Step 3: SSH into the server

ssh ec2-user@


In this use-case we have shown how easy it is to setup and manage ssh keys, and then make them available on your local dev laptop. This can also be done on remote servers and any machine that runs ssh-agent.