Secure Multi Git Remote

Rohan Büchner

Rohan Büchner / March 28, 2022


In this post, I'll explain how to set up a local dev environment that supports multiple upstream git branches, with unique ssh keys with a twist.

Most (non-self-employed) engineers these days will have their own Github (or another git provider) account, and at least one other... normally for their employer.

I've been using the below setup for a while, and recently decided to do a small upgrade to the way I do my local ssh... so I decided to blog about it.

In the example below, I'll use Developer `Bob` who works for the `Acme Company`.

1: Create a global `.gitconfig`

name = bob-forapples
email =

# employer specific git configs
[includeIf "gitdir:Sources/acme/"]
path = /Users/bob/Sources/acme/.gitconfig

2: Create a local `.gitconfig`

... at the path `/Users/bob/Sources/acme/.gitconfig`. create as many of these as you need

name = bob-acme
email =

The steps above will ensure when Bob commits in repos inside the acme folder, they will use his ace name & email.

3: Create or update the `.ssh/config`

... with the following

# Personal account
User git
IdentityFile ~/.ssh/id

# Work account, create as many as these as you need
User git
IdentityFile ~/.ssh/id_acme

4: Clone a repo

The only trick now is to remember Bob's convention that you set up. If Bob clone's a repo from Acme,
he needs to slightly alter the git clone command to match the host of where he's using what specific ssh key...

git clone

5: Bonus Secure your SSH keys.

As of 1Password 8. You can now store your SSH keys inside a vault. I prefer this to have a potential mess of files that I no longer remember where they are or aren't being used.

Another major benefit is that during the regular workflow of using said ssh keys your CLI 1Password will just pop up a little biometric login prompt, you scan your fingerprint, and you're authorized to use your key in that session. So simple, and so damn cool.

To achieve all of the above you need to do the following.

  • Upgrade to 1Password8 (if you're on an older version)
  • In 1Password, got to Preferences > Developer
    • Enable Use SSH Agent
    • Enable Biometric unlock for CLI
  • Add your key to the vault and export the pub key.
  • Store the pub key in your `.ssh` folder

Next, create a symlink for the agent:

mkdir -p ~/.1password && ln -s ~/Library/Group\ Containers/ ~/.1password/agent.sock

and update your `.ssh/config`

Host *
IdentitiesOnly yes
# this tells gh to use the 1Password Identity agent for all hosts
IdentityAgent "~/.1password/agent.sock"

User git
IdentityFile ~/.ssh/

User git
IdentityFile ~/.ssh/