ssh-keygen generates, manages, and converts SSH authentication keys. Essential for passwordless SSH access and secure key-based authentication.
Key Generation
- ssh-keygen -t ed25519 - Generate Ed25519 key (recommended)
- ssh-keygen -t rsa -b 4096 - Generate RSA key (4096 bits)
- ssh-keygen -t ecdsa -b 256 - Generate ECDSA key
- ssh-keygen -f ~/.ssh/id_ed25519 - Specify key file location
- ssh-keygen -C "comment" - Add comment to key
Key Management
- ssh-keygen -l -f ~/.ssh/id_ed25519.pub - Show key fingerprint
- ssh-keygen -y -f ~/.ssh/id_ed25519 - Extract public key from private key
- ssh-keygen -p -f ~/.ssh/id_ed25519 - Change passphrase
- ssh-keygen -R hostname - Remove host from known_hosts
Key Conversion
- ssh-keygen -p -m PEM -f old_key - Convert key format
- ssh-keygen -e -f id_rsa.pub -m RFC4716 - Convert to RFC4716 format
- ssh-keygen -i -f publickey - Import key in other formats
Common Examples
Generate Ed25519 Key
ssh-keygen -t ed25519 -C "your_email@example.com"Generate modern Ed25519 key with email comment.
Generate RSA Key
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsaGenerate 4096-bit RSA key.
Show Fingerprint
ssh-keygen -l -f ~/.ssh/id_ed25519.pubDisplay key fingerprint for verification.
Change Passphrase
ssh-keygen -p -f ~/.ssh/id_ed25519Change passphrase on existing key.
Copy Public Key
cat ~/.ssh/id_ed25519.pubDisplay public key to copy to server.
Remove Host Key
ssh-keygen -R example.comRemove host from known_hosts (after key change).
Tips
- Ed25519 is preferred: smaller, faster, and more secure than RSA
- Use RSA 4096-bit minimum if Ed25519 isn't supported
- Always use passphrases for private keys
- Keep private keys secure (~/.ssh/id_*), never share them
- Public keys (.pub) are safe to share
- Use ssh-copy-id to easily copy keys to servers
- Verify fingerprints out-of-band before trusting new hosts