Getting Started with SSH KeyGen
Secure Shell (SSH) is a network protocol that allows the establishment of a secure channel between a local computer and a remote server or service. To take advantage of SSH key-based authentication, you can generate new SSH keys using the ssh-keygen utility.
SSH uses public-key cryptography to authenticate the remote computer and encrypt data sent over the connection. The private key stays on the local system, while the public key gets copied to a remote server or service to authorize access.
Using ssh-keygen to create SSH keys enables several important security benefits:
- No need to enter passwords manually each time you connect to a server.
- Encryption of data flowing over the SSH connection.
- Ability to disable password-based logins, which are prone to brute force attacks.
- Flexibility to revoke compromised keys and generate new ones.
This guide will walk through the entire process of using SSH-keygen to generate new SSH keys on Linux, macOS, and Windows devices. We will cover key types, bit lengths, and formats, as well as recommendations for secure storage and usage of sensitive private keys.
Key Takeaways
- SSH keys allow secure remote login without using passwords.
- The ssh-keygen command generates new SSH key pairs consisting of a public and private key.
- The private key stays on the local computer, and the public key is copied to remote servers.
- SSH keys use encryption to provide strong security for remote connections.
- Generating keys with ssh-keygen avoids reliance on weaker password-based logins.
- New keys can be created to replace or revoke compromised SSH keys if needed.
Prerequisites for Using ssh-keygen
To generate and use SSH keys for authentication, you will need:
- Access to a command line terminal on Linux/macOS or the Windows Command Prompt.
- The ssh-keygen program was installed. This comes standard on Linux and macOS. For Windows, install an SSH client like PuTTY.
- An account on the remote server to connect to. You’ll need permission to copy public keys to user ~/.ssh folders.
- Basic understanding of terminal commands and text editors like nano/vi on Linux or Notepad on Windows.
As long as you meet the above requirements, you can use SSH-keygen to create SSH keys on any desktop OS or server distribution without issue. The ssh-keygen syntax is consistent across platforms.
A Step-by-Step Guide to Generate New SSH Key using SSH KeyGen
Follow the steps to generate new SSH Key using ssh-keygen.
- Run ssh-keygen and Specify the Key File Name
- Specify an Optional Passphrase
- Generate the Key Pair
- Configure Additional ssh-keygen Options
- Copy the Public Key to a Remote Server
- Disable Password Authentication on the Remote Server
- Increase Private Key Protection on Linux/macOS
- Generate Keys for Specific SSH Clients Like PuTTY (Optional)
Step: 1 Run ssh-keygen and Specify the Key File Name
The first step is running the ssh-keygen command itself. This will start the SSH key generation process.
On Linux or macOS, open up a terminal window. On Windows, launch the Command Prompt. Then enter the following:
ssh-keygen
When this command runs, it will ask you to specify the file path where the key will be generated.
By default, SSH keys get stored under the ~/.ssh directory on Linux/macOS systems and Documents\\SSH on Windows. The private key gets saved as id_rsa, while the public key gets saved as id_rsa.pub.
To accept the default location and file names, press Enter when ssh-keygen prompts you:
Enter file in which to save the key (/Users/demo/.ssh/id_rsa):
If you want to use a custom location or file name, enter it at the prompt. For example:
Enter file in which to save the key (/Users/demo/.ssh/id_rsa): /Custom/path/my_key_rsa
This will save the private key as my_key_rsa instead of id_rsa in the specified directory.
Step: 2 Specify an Optional Passphrase
After specifying the key file path, ssh-keygen will prompt you to add an optional passphrase:
Enter passphrase (empty for no passphrase):
The passphrase acts as an extra layer of protection for the private key. You won’t be able to use the private key without entering the passphrase, even if someone gains access to the private key file.
Passphrases should be strong, lengthy, and memorable. An ideal passphrase might be a sentence or two with spaces and punctuation mixed with letters, numbers, and symbols.
If you don’t want to use a passphrase, just hit Enter to leave it empty. However, using a passphrase does provide additional security for the key.
Step: 3 Generate the Key Pair
Next, ssh-keygen will begin generating the public/private key pair using a cryptographic algorithm.
By default, ssh-keygen uses the RSA algorithm with a 2048-bit key length, which is considered secure for most purposes.
You will see a progress indicator as ssh-keygen creates the keys:
Generating public/private rsa key pair.
.............................................................
..........................
The key generation should only take a few seconds to complete. Afterwards, you will see the following output:
Your identification has been saved in /Custom/path/my_key_rsa
Your public key has been saved in /Custom/path/my_key_rsa.pub
This indicates the private key (my_key_rsa) and public key (my_key_rsa.pub) have been successfully created.
You can now find the private key and public key files in the specified location on your local system.
Step 4: Configure Additional ssh-keygen Options (Optional)
After finishing the initial ssh-keygen command, you will have the basics of SSH key generation. However, there are a few additional options you may want to consider.
Specify a Key Type and Length
By default, ssh-keygen creates RSA keys with a 2048-bit length. However, you can also generate other types of keys like ECDSA or ED25519.
To specify a different key type, use the -t option:
ssh-keygen -t ecdsa -b 521
This generates 521-bit ECDSA keys instead of the default 2048-bit RSA keys.
You can adjust the bit length using -b as shown above. Typically, 2048 to 4096 bits are sufficient for RSA keys and 256 to 521 bits for ECDSA keys.
Change the Key Comment
By default, SSH keys contain a generic comment with the user@hostname.
You can set a custom comment with -C to help identify a key:
ssh-keygen -C "My Work Laptop"
Use a Non-Standard File Format
ssh-keygen supports different formats for private and public key files.
The default is an OpenSSH key format. To generate keys in a PKCS#8 format instead, use:
ssh-keygen -m PEM
For a PuTTY compatible format, use the following:
ssh-keygen -m PUTTY
The format primarily affects the private key file. The public key format usually stays OpenSSH.
Review the ssh-keygen Man Page
For a full list of options supported by ssh-keygen, you can review the man page.
On Linux/macOS:
man ssh-keygen
On Windows, consult the documentation for your SSH client.
This will list all possible key types, bit lengths, formats, and more in detail.
Step: 5 Copy the Public Key to a Remote Server
After generating an SSH key pair with ssh-keygen, you need to copy the public key to any remote servers you want to connect to. This will authorize your local private key to access the server.
To copy a public key to a remote host:
- Copy the contents of the public key file (id_rsa.pub or similar)
- SSH into the remote server
- Create or edit ~/.ssh/authorized_keys on the remote server
- Paste the public key contents as a new line in authorized_keys
For example:
ssh demo@server
nano ~/.ssh/authorized_keys
Paste the public key, save the file, and exit the text editor. Your private key will now allow you to SSH or authenticate without a password.
You can also use SSH utilities like ssh-copy-id to simplify public key copying in some cases.
The public key needs to be copied to each remote server you want to use passwordless authentication. Once added, SSH keys provide a secure and convenient way to log into the server.
After setting up key-based authentication, you should disable password-based remote logins to enforce SSH key usage fully.
Step: 6 Disable Password Authentication on the Remote Server
Allowing both password and SSH key authentication gives users two ways to gain access to a server. For better security, you should disable password authentication.
This will force all users to connect using SSH keys instead of falling back on more vulnerable passwords.
To disable password logins on a Linux/UNIX server, edit the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_config
Find the PasswordAuthentication setting and change it to “no”:
PasswordAuthentication no
Save changes and restart the sshd service:
sudo systemctl restart sshd
Now, only SSH key holders will be allowed to sign in. This prevents brute-force password attacks.
On Windows, you can uncheck password authentication in PuTTY under Connection > Data > Auto-login username.
Step: 7 Increase Private Key Protection on Linux/macOS
Once generated, your private SSH key should be carefully protected since it allows full access to your servers.
Here are some tips for securing your private SSH keys on Linux/macOS:
- Set strict permissions on the private key – only you should be able to read/write it.
- Store private keys on encrypted volumes or file systems to protect at-rest data.
- Use SSH agents like ssh-agent to hold decrypted keys temporarily in memory instead of on disk.
- Enable key passphrase for an extra layer of protection from unauthorized use.
- Rotate/revoke keys if compromised and generate new key pairs periodically.
- Never share your private key or check it into version control systems.
Taking steps to lock down your private SSH keys will prevent them from being misused if your system is breached.
Step: 8 Generate Keys for Specific SSH Clients Like PuTTY (Optional)
So far, we’ve covered the standard OpenSSH ssh-keygen tool found on Linux and macOS. This tool generates keys that will work for native OpenSSH clients.
However, you may need keys in a different format for certain SSH clients and programs:
- PuTTY on Windows – Generate PuTTY compatible .ppk private keys.
- FileZilla – Needs .ppk keys for SFTP file transfers.
- Amazon AWS – AWS instances require .pem formatted SSH keys.
- Ansible – Requires OpenSSH formatted SSH keys.
- Git – Can use OpenSSH keys for Git SSH authentication.
To generate keys for a specific SSH client or service, just pass the required format option to ssh-keygen:
# PuTTY Keys ssh-keygen -m PUTTY -t RSA -C "PuTTY Key" # AWS PEM Keys ssh-keygen -m PEM -t rsa -C "AWS Instance Key" # OpenSSH Keys for Git, Ansible, Linux ssh-keygen -t rsa -b 4096 -C "SSH Key"
Final Thoughts
Using ssh-keygen to generate SSH key pairs enables secure authentication for SSH and SFTP sessions, remote server automation, git push/pull, and other activities without relying on basic passwords alone.
Key-based authentication improves security by removing credential transmission over the network and mitigating brute force password guessing attacks through disabled password logins.
Following the steps here will allow you to generate new keys using ssh-keygen with custom locations, filenames, key types, passphrases, and formats across Linux, Windows, macOS, and other operating systems.
Once you have an SSH key pair, remember to copy the public key to any servers you need passwordless access to. Take care to properly secure and protect your private key with permissions, encryption, revocation, and rotation as needed.
Adopting SSH public-key authentication with ssh-keygen is one of the best ways to boost security and convenience for your remote server and service access. The encrypted connections and lack of transmitted secrets afforded by SSH keys enable more trusted and controlled access to critical systems and data.
Frequently Asked Questions (FAQs)
What is the default SSH key type generated by ssh-keygen?
The default key type generated by ssh-keygen is an RSA key with a 2048-bit length.
Can I use SSH-keygen to convert existing SSH keys to a new format?
Yes, you can use SSH-keygen to convert between OpenSSH, PuTTY, PEM, and other SSH key formats by exporting and importing keys.
How do I generate SSH keys for AWS instances?
Use the ssh-keygen -m PEM option to generate keys in the .pem format required by AWS for EC2 instances.
Where are SSH keys stored on Windows by default?
On Windows, SSH keys generate under C:\\Users\\username\\Documents\\SSH by default unless a custom path is specified.
Does ssh-keygen work on Mac computers?
Yes, you can use ssh-keygen on MacOS the same way you can on Linux to generate SSH key pairs for authentication.
How do I copy my public key to a Linux server?
Use ssh-copy-id or manually copy the key to ~/.ssh/authorized_keys on the remote server to add your public key for passwordless login.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
