How to Create an SSH Key: A Complete Guide
SSH keys are one of the most reliable ways to secure remote connections — more robust than passwords and far less prone to brute-force attacks. Whether you're connecting to a Linux server, pushing code to GitHub, or managing cloud infrastructure, knowing how to generate and use SSH keys is a foundational skill.
What Is an SSH Key and Why Does It Matter?
An SSH key pair consists of two cryptographically linked files: a private key (which stays on your machine) and a public key (which you share with the remote server or service). When you connect, the server checks whether your private key matches the public key it has on file — no password required.
This system works because the keys are mathematically paired. Even if someone intercepts your public key, they can't reverse-engineer your private key from it. That's what makes SSH key authentication significantly stronger than a traditional password login.
The Components of an SSH Key Pair
| Component | Where It Lives | What It Does |
|---|---|---|
| Private key | Your local machine | Proves your identity — never shared |
| Public key | Remote server or service | Verifies your identity against the private key |
| Passphrase (optional) | Stored in memory/agent | Adds a second layer of protection to your private key |
How to Generate an SSH Key 🔑
The most common tool for creating SSH keys is ssh-keygen, which comes pre-installed on macOS, Linux, and Windows 10/11 (via OpenSSH).
Step 1: Open Your Terminal
- macOS / Linux: Open Terminal
- Windows: Use PowerShell, Command Prompt, or Windows Terminal (all support OpenSSH natively since Windows 10 version 1809)
Step 2: Run the Key Generation Command
ssh-keygen -t ed25519 -C "[email protected]" Breaking this down:
-t ed25519specifies the key type. Ed25519 is a modern elliptic-curve algorithm — fast, compact, and widely considered the current best practice for new keys.-Cadds a comment (typically your email) to help you identify the key later.
If you're connecting to a system that doesn't support Ed25519 (some older servers or services still require RSA), use:
ssh-keygen -t rsa -b 4096 -C "[email protected]" The -b 4096 flag sets the key length to 4096 bits — a stronger RSA key than the default 2048-bit option.
Step 3: Choose a File Location
You'll be prompted:
Enter file in which to save the key (/home/youruser/.ssh/id_ed25519): Pressing Enter accepts the default location (~/.ssh/). This is the standard directory and usually the right choice — most SSH clients look here automatically. If you're managing multiple keys for different servers or accounts, you can specify a custom filename to keep them organized.
Step 4: Set a Passphrase (Recommended)
Enter passphrase (empty for no passphrase): A passphrase encrypts your private key on disk. Without it, anyone who gains access to your machine can use your private key immediately. With a passphrase, they'd also need to know it.
For everyday use, storing your passphrase in an SSH agent (ssh-agent) means you only enter it once per session — so security doesn't come at the cost of convenience.
Step 5: Confirm Your Keys Were Created
After generation, you'll find two files in your ~/.ssh/ directory:
id_ed25519— your private key (permissions should be600— readable only by you)id_ed25519.pub— your public key (safe to share)
You can verify with:
ls -la ~/.ssh/ Adding Your Public Key to a Remote Server
To use key-based authentication, the remote server needs your public key added to its ~/.ssh/authorized_keys file. The simplest way:
ssh-copy-id username@server_address This appends your public key to the server's authorized_keys automatically. If ssh-copy-id isn't available (common on some Windows setups), you can manually copy the contents of your .pub file and paste them into the server's authorized_keys.
For services like GitHub, GitLab, or Bitbucket, you paste the public key directly into the platform's SSH key settings — no server access required.
Key Types: Which Algorithm Should You Use?
| Algorithm | Recommended? | Notes |
|---|---|---|
| Ed25519 | ✅ Yes | Modern, fast, compact — preferred for new keys |
| RSA 4096 | ✅ Conditionally | Use when Ed25519 isn't supported |
| RSA 2048 | ⚠️ Aging | Still common but consider upgrading |
| DSA / ECDSA | ❌ Generally avoid | DSA is deprecated; ECDSA has implementation concerns |
Variables That Affect Your Setup 🖥️
Generating a key is straightforward, but several factors shape exactly how you'll do it and what choices make sense:
- Operating system and version: Windows users before version 1809 may need to install OpenSSH separately or use a tool like PuTTYgen (which generates
.ppkformat keys, not directly compatible with OpenSSH) - Target server or service requirements: Some legacy systems only accept RSA; others have specific minimum key lengths
- Number of keys you're managing: Power users often maintain separate keys per service or client, requiring organized naming conventions and SSH config files
- Security environment: A shared or less-controlled machine changes the calculus on passphrases and key storage significantly
- SSH agent availability: Some environments (CI/CD pipelines, containers, certain IDEs) handle key authentication differently than a standard terminal session
The process of generating the key itself takes seconds. The more nuanced decisions — which algorithm fits your target system, how to organize multiple keys, whether to use an agent and how, and how to handle keys across devices — depend on your specific environment and how you're working.