How to Generate an SSH Key

A step-by-step guide to creating a secure SSH key pair — with ssh-keygen or online — choosing an algorithm, protecting it with a passphrase, and installing the public key on a server.


Generating an SSH key pair takes under a minute and replaces password logins with something far more secure. This guide walks through creating a key, protecting it with a passphrase, installing the public half on a server, and confirming it works — using either the command line or a browser tool.

Prefer not to use the terminal?The ShowDNS SSH Key Generator creates an Ed25519, ECDSA, or RSA key pair in your browser and lets you download both halves in PEM or PPK format — no commands needed. The steps below cover the ssh-keygen route.

Step 1 — Choose an Algorithm

Pick the key type before generating. For nearly all new keys, Ed25519 is the best choice — small, fast, and very secure. Use RSA 4096 only when you must support older systems that lack Ed25519. (For a deeper comparison, see SSH Keys Explained.)

bash
# Recommended: Ed25519 ssh-keygen -t ed25519 -C "you@example.com" # Legacy compatibility: RSA 4096 ssh-keygen -t rsa -b 4096 -C "you@example.com"

The -C flag adds a comment (usually your email or a machine name) so you can identify the key later in an authorized_keys file.

Step 2 — Set a Passphrase and File Location

ssh-keygen prompts for a file path and a passphrase:

text
Enter file in which to save the key (~/.ssh/id_ed25519): [press Enter] Enter passphrase (empty for no passphrase): [type a strong passphrase] Enter same passphrase again: [repeat]

This creates two files:

  • ~/.ssh/id_ed25519 — your private key (keep secret).
  • ~/.ssh/id_ed25519.pub — your public key (safe to share).
Always use a passphraseA passphrase encrypts the private key at rest, so a stolen file is useless without it. Combine it withssh-add so you only type the passphrase once per session.

Step 3 — Install the Public Key on Your Server

To log in without a password, the public key must be appended to ~/.ssh/authorized_keys on the server. The simplest way is ssh-copy-id:

bash
# Copies the public key and sets correct permissions (prompts for password once) ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server.com

If ssh-copy-id is not available, append the key manually:

bash
cat ~/.ssh/id_ed25519.pub | ssh user@your-server.com \ "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Step 4 — Test the Connection and Load the Agent

Confirm key-based login works:

bash
ssh user@your-server.com # Add the key to your agent so the passphrase is cached for the session ssh-add ~/.ssh/id_ed25519

You should log in without being asked for the account password. If you added a passphrase, you may be prompted for it once (or never again after ssh-add).

Verify or convert your new keyPaste your key into the SSH Key Validator to check its format, strength, and fingerprint — or confirm the public and private halves match. Need it for PuTTY on Windows? Convert it with PEM → PPK.

Troubleshooting

  • Still asked for a password? Check permissions on the server: ~/.ssh must be 700 and authorized_keys must be 600.
  • "Permission denied (publickey)"? Make sure you installed the matching .pub file, and that you are connecting as the right user.
  • Wrong key being offered? Point SSH at the right file explicitly: ssh -i ~/.ssh/id_ed25519 user@host.