Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Docker Pulls pipeline status Back project

This image contains the Keybase and Keybase-sshca applications running on ubuntu linux.

What is Keybase SSH CA?

A bot!, a chat bot! Which you can use as a certificate authority to sign ssh keys for usage on your servers!
Easiest way to use it is via the kssh utility which is possible to download at the official repository.


Tags are based on the keybase-sshca version.
As of current releases, the versions contains part of the commit sha suffixed, every build will include that as a tag too: 1.0.0-7803a8d

Keybase-sshca is built from source and compiled for amd64 and arm64/aarch64.

Docker Hub

  • jitesoft/keybase-sshca
    • latest, 1.1.0
    • latest-alpine, 1.1.0-alpine


    • latest, 1.1.0
    • latest, 1.1.0

    • latest, 1.1.0
    • latest-alpine, 1.1.0-alpine

Dockerfile can be found at GitLab and GitHub.

Image labels

This image follows the Jitesoft image label specification 1.0.0.


For full documentation, check the Keybase SSH CA Bot documentation.

Startup of bot:

docker run -v $(pwd):/home/keybase/certificates jitesoft/keybase-sshca:1.0.0 

To fine-tune the container to work with your channels, a few environment variables are available:

KEYBASE_USERNAME="your-bot-username"             # I recommend that you create a new bot for this.
KEYBASE_PAPERKEY="Paperkey-for-bot"              # Possible to generate quickly via the keybase cli. 
KEYBASE_USERNAME_PATH="path-to-username-in-file" # File to use instead of above 'username' env variable. 
KEYBASE_PAPERKEY_PATH="path-to-paperkey-in-file" # As above, but for the paperkey.
CA_KEY_LOCATION="/home/keybase/ca-cert"          # Location where the key file should be or will be if generated by this image.
                                                 # Default is /home/keybase/ca-cert
KEY_EXPIRATION="+12h"                            # Expiration time (prefixed with + and sufixed with unit, such as d, h, m).
KEYBASE_SSHCA_LOG_DIR="/home/keybase/.cache/keybase" # Path to directory where the logs of the keybase-ssh-ca bot should be placed.
                                                # defaults to /home/keybase/.cache/keybase
                                                # Note: logs are also printed to stdout.
STRICT_LOGGING="false"                          # Sets the logging to strict or not strict. (true or false)
ANNOUNCEMENT=""                                 # A string/text that the bot will use to announce itself in a channel.
                                                # The following placeholders are available: {USERNAME}, {CURRENT_TEAM}, {TEAMS}.

Most notable are the KEYBASE_* prefixed user and paperkey variables, which either filepath or env type are required to exist to allow the bot to connect.
The Docker image will generate a set of ecdsa keys to use as ca keys in case you don't supply them yourself, and it might be worth to add a persistent volume for them so that they do not disappear after restart of the container.


This repository and the files therein are released under the MIT license.
Keybase is released under the BSD 3-Clause "New" or "Revised" license.
Keybase-sshca is released under the BSD 3-Clause "New" or "Revised" license.