SSH Keys Explained: Public vs Private Keys

SSH keys let you log into servers without a password by proving you hold a private key that matches a public key on the server. This article explains how the pair works and which algorithm to choose.


SSH keys are a pair of cryptographic files that let you authenticate to a server without typing a password. Instead of sending a secret over the wire, your client proves it holds a private key that mathematically matches a public key already stored on the server. It is both more convenient and dramatically more secure than password login.

What Is an SSH Key Pair?

Every SSH key is actually two files generated together as a pair:

  • The private key — a secret file that stays on your machine (typically ~/.ssh/id_ed25519). Anyone who has it can log in as you, so it must never be shared or uploaded anywhere.
  • The public key — a short, non-secret string (typically ~/.ssh/id_ed25519.pub) that you can freely copy onto servers, paste into GitHub, or email to a colleague.

The two are linked by asymmetric cryptography: the public key can verify a signature made by the private key, but it cannot be used to reconstruct the private key. That one-way relationship is what makes the scheme safe.

Generate a key pair in secondsYou can create a fresh RSA, ECDSA, or Ed25519 key pair right in your browser with the ShowDNS SSH Key Generator — no command line required — then download both halves in PEM or PPK format.

How SSH Key Authentication Works

When you connect to a server that has your public key installed, a challenge–response handshake runs automatically:

  1. Your client tells the server which public key it wants to use.
  2. The server checks that this public key is listed in the account's ~/.ssh/authorized_keys file.
  3. The server sends a random challenge. Your client signs it with the private key and returns the signature.
  4. The server verifies the signature against the public key. If it checks out, you are logged in — the private key itself never leaves your machine.

Installing Your Public Key on a Server

To enable key-based login, the public key must be appended to ~/.ssh/authorized_keys on the server. The easiest way is ssh-copy-id:

bash
# Copy your public key to a server (prompts for password once) ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server.com # Then log in with no password ssh user@your-server.com

Each line in authorized_keys is a single public key. It looks like this:

text
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFq7kX2mPzR8wNvT4aYcE9oJd1sHguB6iLKM3nx5UeQZ user@laptop

RSA vs ECDSA vs Ed25519

SSH supports several key algorithms. For new keys, the choice is straightforward:

  • Ed25519 — the modern default. Small (256-bit), fast, and highly secure. Recommended for almost every new key.
  • ECDSA — elliptic-curve keys (P-256/384/521). Compact and secure; a reasonable choice when Ed25519 is not supported by an older client.
  • RSA — the most widely compatible. Use at least 4096 bits for strong security. Best when you need to support legacy systems or appliances.
  • DSA — deprecated and disabled in modern OpenSSH. Do not use it for new keys.
bash
# Modern default — Ed25519 ssh-keygen -t ed25519 -C "you@example.com" # Maximum compatibility — RSA 4096 ssh-keygen -t rsa -b 4096 -C "you@example.com"
Always protect the private keyAnyone who copies your private key can impersonate you on every server that trusts it. Store it withchmod 600 permissions, add a strong passphrase, and never paste it into a website, chat, or ticket.

Passphrases and Key Formats

A private key can be encrypted with a passphrase, so a stolen file is useless without it. To avoid retyping the passphrase constantly, load the key into an agent with ssh-add.

Keys are also stored in different formats. OpenSSH and Linux/macOS use the PEM-style format, while PuTTY on Windows uses its own .ppk format. If you move between the two, you can convert without regenerating the key — see PEM vs PPK: SSH Key Formats Compared.

Checking a Key You Already Have

Not sure whether a key is valid, what algorithm it uses, or whether a public and private key belong together? Paste them into the SSH Key Validator to inspect the format, strength, and fingerprint, or to confirm that a key pair matches before you install it.