Generating an SSH key pair takes under a minute and replaces password logins with something far more secure. This guide walks through creating a key, protecting it with a passphrase, installing the public half on a server, and confirming it works — using either the command line or a browser tool.
ssh-keygen route.Step 1 — Choose an Algorithm
Pick the key type before generating. For nearly all new keys, Ed25519 is the best choice — small, fast, and very secure. Use RSA 4096 only when you must support older systems that lack Ed25519. (For a deeper comparison, see SSH Keys Explained.)
# Recommended: Ed25519
ssh-keygen -t ed25519 -C "you@example.com"
# Legacy compatibility: RSA 4096
ssh-keygen -t rsa -b 4096 -C "you@example.com"The -C flag adds a comment (usually your email or a machine name) so you can identify the key later in an authorized_keys file.
Step 2 — Set a Passphrase and File Location
ssh-keygen prompts for a file path and a passphrase:
Enter file in which to save the key (~/.ssh/id_ed25519): [press Enter]
Enter passphrase (empty for no passphrase): [type a strong passphrase]
Enter same passphrase again: [repeat]This creates two files:
~/.ssh/id_ed25519— your private key (keep secret).~/.ssh/id_ed25519.pub— your public key (safe to share).
ssh-add so you only type the passphrase once per session.Step 3 — Install the Public Key on Your Server
To log in without a password, the public key must be appended to ~/.ssh/authorized_keys on the server. The simplest way is ssh-copy-id:
# Copies the public key and sets correct permissions (prompts for password once)
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server.comIf ssh-copy-id is not available, append the key manually:
cat ~/.ssh/id_ed25519.pub | ssh user@your-server.com \
"mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"Step 4 — Test the Connection and Load the Agent
Confirm key-based login works:
ssh user@your-server.com
# Add the key to your agent so the passphrase is cached for the session
ssh-add ~/.ssh/id_ed25519You should log in without being asked for the account password. If you added a passphrase, you may be prompted for it once (or never again after ssh-add).
Troubleshooting
- Still asked for a password? Check permissions on the server:
~/.sshmust be700andauthorized_keysmust be600. - "Permission denied (publickey)"? Make sure you installed the matching
.pubfile, and that you are connecting as the right user. - Wrong key being offered? Point SSH at the right file explicitly:
ssh -i ~/.ssh/id_ed25519 user@host.