Keys¶
Cleat manages SSH keys through the Keys view in the sidebar. Keys can be generated inside Cleat, imported from existing files, or referenced by path from your ~/.ssh/ directory.
The 30-second version¶
- New to SSH keys? Generate one — Cleat shells out to
ssh-keygenand writes the key to~/.ssh/. On modern OpenSSH this produces an OpenSSH-format private key, which Cleat's mbedTLS backend can't parse yet — see Key formats for the one-line conversion. - Have an existing key? Import it. Most likely it'll work. If it's an OpenSSH-format key, see the next bullet.
- Connection fails with "callback returned error" or "invalid key"? Your key is OpenSSH-format and needs PEM. See Key formats.
Where keys live¶
Cleat does not copy your private keys. It stores:
| Where | What |
|---|---|
connections.json |
A path to the private key on disk |
| OS keychain | The passphrase (if any) and any password-auth secrets |
This means:
- Rotating a key on disk works without re-importing into Cleat.
- Backing up Cleat does not back up your private keys — they remain wherever you put them (
~/.ssh/typically). - Sharing your
connections.jsonis safe — it doesn't expose key material.