macOS
brew install onlykey-agentlocal Homebrew formula metadata
brew
Middleware that lets you use OnlyKey as a hardware SSH/GPG device. Version 1.1.15 via Homebrew; verified 2026-05-14.
install
brew install onlykey-agentlocal Homebrew formula metadata
nix profile install nixpkgs#onlykey-agentnixpkgs package indexes · pkgs/by-name/on/onlykey-agent/package.nix · source: api.github.com
overview
Middleware that lets you use OnlyKey as a hardware SSH/GPG device
history
onlykey-agent is middleware that lets an OnlyKey hardware token act as an SSH and GPG agent. It bridges standard developer/admin workflows such as SSH login, Git over SSH, GPG signing, and password-store decryption to keys generated or stored on the hardware device.
The project is maintained by CryptoTrust/trustcrypto and described upstream as an SSH agent for OnlyKey. PyPI's release history starts with 0.0.2 on March 11, 2018, reaches 1.0.0 on November 14, 2019, and lists 1.1.15 on July 21, 2023.
OnlyKey's documentation positions the agent as a way to keep SSH and OpenPGP private keys off the computer while still using ordinary SSH and GnuPG workflows. The agent uses OnlyKey button presses or challenge codes to authorize signing and decrypt operations.
onlykey-agent is available from PyPI and Homebrew, and Homebrew's formula exposes its native dependencies on GnuPG, hidapi, libusb, libsodium, and Python. Its audience is narrower than general FIDO/U2F tooling because it specifically serves OnlyKey users who want SSH-agent and gpg-agent style integration.
For SSH, users generate or expose a public key with onlykey-agent, add it to authorized_keys or a Git hosting account, and run commands inside an agent-backed shell or command wrapper. For GPG, users initialize a dedicated GNUPGHOME such as ~/.gnupg/onlykey and use onlykey-gpg for signing, encryption, and Git commit/tag signing.
The documentation distinguishes derived keys from stored keys. Derived keys are generated from identity@host-style inputs, while stored keys use key material loaded into OnlyKey slots, including ECC and RSA slots for SSH/GPG operations.
The package is interesting because it turns a hardware-security product into normal Unix developer plumbing. The package exposes multiple executables, slots into SSH_AUTH_SOCK and GNUPGHOME conventions, and depends on USB/HID and cryptographic libraries rather than inventing a separate workflow.
security posture
No matching local secret-handling manifest was found for onlykey-agent. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
~/.ssh/config~/.gnupg/onlykeyexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
onlykey-agent | cli | global executable | |
onlykey-gpg | cli | global executable | |
onlykey-gpg-agent | cli | global executable | |
onlykey_agent.py | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://docs.crp.to/onlykey-agent.html
install metadata
| Package key | brew:onlykey-agent |
|---|---|
| Version | 1.1.15 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/onlykey-agent |
| Homepage | https://docs.crp.to/onlykey-agent.html |
| Repository | https://github.com/trustcrypto/onlykey-agent |
| Upstream docs | https://docs.onlykey.io/onlykey-agent.html |
| License | LGPL-3.0-only |
| Source archive | https://files.pythonhosted.org/packages/68/80/e89b6c3680bedb1e14e99f0539ac805bddc7d8dd87c58805c64484966b7c/onlykey-agent-1.1.15.tar.gz |
| Last updated | 2026-05-14T10:23:53Z |
| Pulse | updated |
| Dependencies | certifi, cryptography, gnupg, hidapi, libsodium, libusb, python@3.14 |
| Build dependencies | pkgconf |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | onlykey-agent |
| Version Scheme | 0 |
| Revision | 13 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
onlykey-agent
nix profile install nixpkgs#onlykey-agentsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.