Encrypted vault, intelligent host matching, Git commit signing. A single binary that replaces 1Password and Bitwarden's SSH agent.
The tools you use today were built for a simpler time.
Your private keys sit in ~/.ssh/ as plain files. Anyone with laptop access has them.
Copy key files manually, or each machine has different keys. Neither is good.
SSH tries every key until one works. You've hit "too many authentication failures" before.
A separate, manual setup that nobody finishes. Unsigned commits everywhere.
Setup takes 30 seconds. Then SSH and Git just work.
A background daemon that speaks the standard SSH agent protocol. No browser, no Electron. Just a Unix socket and a CLI.
Standard protocol. ssh-add works, any SSH client works.
Argon2id + XChaCha20-Poly1305. Atomic writes.
Right key for each host, automatically.
In-memory, mlock'd, zeroed on shutdown.
Zero-knowledge. Server stores opaque blobs.
| Forged | 1Password | Bitwarden | Secretive | ssh-agent | |
|---|---|---|---|---|---|
| Standalone | Yes | No | No | Yes | Yes |
| Cross-platform | Mac/Linux/Win | Mac/Linux/Win | Mac/Linux/Win | Mac only | Mac/Linux |
| Key sync | Yes | Bundled | Bundled | No | No |
| Host matching | Smart | Basic | No | No | No |
| Git signing | Built-in | Yes | No | Yes | Manual |
| Auth model | Login once | Per use | Per use | Per use | Per session |
| Open source | Yes | No | Yes | Yes | Yes |
Your master password never leaves your machine. The server stores opaque encrypted blobs. It cannot decrypt your vault, read your keys, or see your master password. The same architecture used by 1Password and Bitwarden.
One command. 30 seconds. Your SSH keys will thank you.