One binary, six capabilities. Generate, encrypt, sync, bind, sign, and migrate your SSH keys from a single daemon - while you focus on shipping.
Zero-knowledge storage
Your keys sit unprotected in ~/.ssh. Forged wraps every private key in an Argon2id + XChaCha20-Poly1305 vault that never decrypts on disk.
Every device, one vault
Moving between machines means manually copying key files. Forged syncs encrypted blobs across all your devices automatically.
Low-touch key selection
SSH throws every key at the server until banned. Forged learns which key works for each host and keeps advanced provider routing local to the device.
Verified commits
A built-in SSH agent allows frictionless, automatic verified signatures on every git commit across all your workflows.
Always running, always ready
A single ~13MB Go binary runs a background daemon that emulates the ssh-agent protocol. No Electron, no browser extensions.
Import from anywhere
Migrate keys from ~/.ssh or 1Password in a single command. Inspect your running ssh-agent to plan the move.
Never write another ~/.ssh/config file again. Forged uses wildcard and regex patterns to instantly route the correct cryptographic key to the right server, automatically.
No Electron. No bloated browser extensions. Strictly terminal and background daemons written in modern Go.
Replaces the standard ssh-agent. Exposes a native UNIX socket locally, dropping perfectly into your existing ecosystem without requiring custom clients.
Before ever leaving your machine, the vault is heavily encrypted. The central server only routes opaque, impenetrable binary blobs across your devices.
Intercepts the raw SSH connection challenge before injection. Evaluates destination masks via PCRE regex and routes to the exact corresponding ethnographic identity.
Keys sit encrypted at-rest using military-grade AEAD standard ciphers, explicitly decrypted only ephemerally in RAM upon strict pattern match.
We believe security through obscurity is no security at all. Forged is built entirely on open, mathematically auditable cryptographic standards. Your private keys never touch a disk unencrypted, and never leave your machine without end-to-end encryption.
All vault data is encrypted using XChaCha20-Poly1305 AEAD. Extremely fast, deeply secure, and completely immune to timing attacks.
Master keys are mathematically generated through Argon2id, the winner of the Password Hashing Competition. Highly ASIC resistant.
The agent daemon uses unix.Mlock() to pin all decrypted memory pages, ensuring host OS swap-to-disk leaks are physically impossible.
The entire core daemon and CLI is open source. No proprietary telemetry, no opaque cryptographic implementations.
Read the complete cryptographic breakdown of our vault structure in the security whitepaper, or dive directly into the repository to audit the Go implementation yourself.
Install Forged. Never think about SSH key management again.