anomalroil/1key — explained in plain English
Analysis updated 2026-07-09 · repo last pushed 2019-05-17
Derive separate SSH keys for staging, production, and client environments from one master key.
Share child public keys with teammates without exposing your master private key.
Generate matching child private keys later using the secret phrase used during derivation.
| anomalroil/1key | danterolle/loqi | iwetan77/flume | |
|---|---|---|---|
| Stars | 2 | 2 | 2 |
| Language | Go | Go | Go |
| Last pushed | 2019-05-17 | — | — |
| Maintenance | Dormant | — | — |
| Setup difficulty | moderate | moderate | moderate |
| Complexity | 3/5 | 2/5 | 4/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires generating a master SSH key and providing a secret phrase of 33+ random characters, plus understanding the derivation workflow.
1key is a proof-of-concept tool that lets you generate multiple SSH keys from a single master key. Instead of creating and managing separate keys for every server or environment, you keep one key and derive "child" keys from it as needed. The master key itself never gets exposed to your system's SSH agent, which adds a layer of protection. Under the hood, it uses elliptic curve cryptography. The core idea is mathematical: when you combine your master key with a random value derived from a secret phrase, you get a new, valid key. Someone who only has your public key can also derive child public keys, and you can later generate the matching private keys if you know the random value used. This lets you share derivations without handing over your master key. The tool is aimed at security-conscious developers and sysadmins who juggle many SSH connections. For example, if you want different keys for staging, production, and a client's infrastructure, you can derive all of them from one master rather than storing a dozen separate key files. You provide a secret phrase (ideally 33+ random characters), and the tool handles the math. The project is explicitly a proof of concept tied to a conference talk, so it's not a polished product. The README notes some rough edges, like the SSH connection feature being a simple wrapper that may be removed, and a todo list that includes better memory protection for the master key. It's an interesting demonstration of the concept rather than something you'd want to rely on for critical infrastructure today.
A proof-of-concept tool that derives multiple SSH keys from a single master key using elliptic curve cryptography, so you manage one key instead of dozens. Built for a conference talk, not production use.
Mainly Go. The stack also includes Go, SSH, Elliptic Curve Cryptography.
Dormant — no commits in 2+ years (last push 2019-05-17).
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.