Client Keys

We use the same format as openssh daemon for storing keys. Currently only ssh-ed25519 (eliptic curve) keys are supported. More key types may be supported in future.

To generate it, run:

ssh-keygen -t ed25519 -f ~/.ssh/id_ciruela -P ""

Search Paths

If no identity (-i/--identity) or environment variables (-k/--key-from-env) variables are specified, we the following keys to sign uploads:

  • $HOME/.ssh/id_ed25519
  • $HOME/.ssh/id_ciruela
  • $HOME/.ciruela/id_ed25519
  • $CIRUELA_KEY environment variable


We only use keys for signing and multiple signatures are okay. So we sign uploads by all the keys found at specified paths. Signing by an extra key does not compromise security.


We don’t support ssh-agent and password-protected keys yet.