paulund

Using Multiple SSH Keys

Using Multiple SSH Keys

If you use one machine for both personal and work projects — each backed by a different GitHub account — you need a way to tell Git which SSH key to use for which repository. This guide walks through a clean, low-maintenance approach using Git's conditional configuration.

The Problem

SSH authenticates you to GitHub using a key pair stored on your machine. By default, Git uses a single key for every remote connection. If you have two GitHub accounts, one key will authenticate to one account and fail on the other.

Step 1: Create Your SSH Keys

Generate a separate key for each account. Give each one a descriptive filename so you can tell them apart:

ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/id_ed25519_personal
ssh-keygen -t ed25519 -C "[email protected]"      -f ~/.ssh/id_ed25519_work

ed25519 is the recommended key type as of 2026 — it is smaller and faster than RSA. If your hosting provider does not support it, fall back to rsa with -t rsa -b 4096.

Step 2: Add the Keys to Your SSH Agent

The SSH agent holds your decrypted keys in memory so you do not have to type your passphrase repeatedly:

ssh-add ~/.ssh/id_ed25519_personal
ssh-add ~/.ssh/id_ed25519_work

Verify both are loaded:

ssh-add -l

Step 3: Upload the Public Keys to GitHub

Each key's public counterpart needs to be added to the corresponding GitHub account. Copy the public key to your clipboard:

cat ~/.ssh/id_ed25519_personal.pub

Then navigate to your GitHub account settings, go to SSH and GPG keys, and paste the key. Repeat for the work key on your other account.

Step 4: Configure Git with Conditional Includes

This is where the automation happens. Organise your repositories into directories by account:

~/code/personal/   ← repositories for your personal GitHub account
~/code/work/       ← repositories for your work GitHub account

Edit your main Git configuration file (~/.gitconfig) and add a conditional include at the bottom:

[user]
    name = Your Name
    email = [email protected]

[core]
    sshCommand = ssh -i ~/.ssh/id_ed25519_personal
    excludesfile = ~/.gitignore_global
    editor = vim
    autocrlf = input

[init]
    defaultBranch = main

[includeIf "gitdir:~/code/work/"]
    path = ~/.gitconfig_work

The [includeIf] directive tells Git to layer in an additional configuration file whenever the repository lives inside ~/code/work/. Create that file:

# ~/.gitconfig_work
[user]
    email = [email protected]
[core]
    sshCommand = ssh -i ~/.ssh/id_ed25519_work
[github]
    user = your-work-github-username

The settings in ~/.gitconfig_work override the defaults in ~/.gitconfig for any repository inside the work directory. Everything else — your personal repositories — continues to use the personal key.

Verifying the Setup

Test that each key connects to the correct account:

ssh -i ~/.ssh/id_ed25519_personal -T [email protected]
# Should print: Hi personal-username! You have successfully authenticated...

ssh -i ~/.ssh/id_ed25519_work -T [email protected]
# Should print: Hi work-username! You have successfully authenticated...

Inside a work repository, confirm Git is using the right configuration:

git config user.email
# Should print: [email protected]

Security Reminders

  • Never share your private keys with anyone or commit them to a repository.
  • Use passphrases on your SSH keys. The SSH agent handles the inconvenience for you during a session.
  • If you suspect a key has been compromised, revoke it on GitHub immediately and generate a new one.