How to Create an SSH Key for GitHub (Step-by-Step Guide)
If you've ever typed your GitHub username and password repeatedly just to push a commit, SSH keys are the fix. They let your machine authenticate with GitHub automatically — securely, without a password prompt every time. Here's exactly how SSH keys work and how to set one up.
What Is an SSH Key and Why Does GitHub Use It?
SSH (Secure Shell) is a cryptographic protocol for secure communication between two machines. When you connect to GitHub via SSH, your identity is verified using a key pair — two mathematically linked files:
- Private key — stays on your machine, never shared
- Public key — uploaded to GitHub, used to verify you
When you attempt a connection, GitHub sends a challenge that only your private key can solve. If it matches the public key on file, access is granted. No password required.
This is meaningfully more secure than HTTPS with a password, and it's the standard approach for developers who work with Git regularly.
What You'll Need Before You Start
- A terminal (macOS/Linux have one built in; Windows users can use Git Bash, WSL, or PowerShell with OpenSSH)
- A GitHub account
- Git installed on your machine
Step 1: Check for Existing SSH Keys 🔑
Before generating a new key, check whether one already exists on your system:
ls -al ~/.ssh Look for files named id_ed25519, id_rsa, id_ecdsa, or similar. If you find a matching .pub file alongside one of these, you may already have a key pair ready to use.
If the directory doesn't exist or is empty, proceed to generate a new key.
Step 2: Generate a New SSH Key
The current GitHub-recommended algorithm is Ed25519, which is faster and more secure than the older RSA standard:
ssh-keygen -t ed25519 -C "[email protected]" Replace the email with the one linked to your GitHub account — it's used as a label only, not for authentication.
If your system doesn't support Ed25519 (older environments), use RSA with a 4096-bit key:
ssh-keygen -t rsa -b 4096 -C "[email protected]" What happens next:
- You'll be asked where to save the key — press Enter to accept the default location (
~/.ssh/id_ed25519) - You'll be prompted for a passphrase — this is optional but strongly recommended. It adds a second layer of protection if your private key file is ever accessed
Step 3: Add the Key to the SSH Agent
The SSH agent is a background process that manages your keys and handles authentication requests. Start it and add your key:
eval "$(ssh-agent -s)" ssh-add ~/.ssh/id_ed25519 On macOS, you may want to update your ~/.ssh/config file to load the key automatically and store the passphrase in your Keychain:
Host github.com AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519 On Windows with Git Bash, the process is largely the same. With PowerShell, you may need to enable the OpenSSH Authentication Agent service first.
Step 4: Copy Your Public Key
Your public key needs to go to GitHub. Display it in the terminal:
cat ~/.ssh/id_ed25519.pub Copy the entire output — it begins with ssh-ed25519 and ends with your email label.
Alternatively, use a clipboard shortcut:
- macOS:
pbcopy < ~/.ssh/id_ed25519.pub - Linux:
xclip -sel clip < ~/.ssh/id_ed25519.pub - Git Bash on Windows:
clip < ~/.ssh/id_ed25519.pub
Step 5: Add the Public Key to GitHub 🖥️
- Go to GitHub.com and sign in
- Click your profile photo → Settings
- In the left sidebar, select SSH and GPG keys
- Click New SSH key
- Give it a descriptive title (e.g., "Work MacBook" or "Home Linux Desktop")
- Paste your public key into the Key field
- Click Add SSH key
Step 6: Test Your Connection
Verify everything is wired up correctly:
ssh -T [email protected] A successful response looks like:
Hi username! You've successfully authenticated, but GitHub does not provide shell access. If you see a warning about the host's authenticity on first connection, type yes to add GitHub to your known hosts.
Key Variables That Affect Your Setup
| Factor | How It Affects Things |
|---|---|
| Operating system | macOS, Linux, and Windows each handle the SSH agent differently |
| Ed25519 vs RSA | Ed25519 is preferred; RSA may be needed on legacy systems |
| Passphrase use | Adds security but requires agent configuration to avoid repeated prompts |
| Multiple accounts | Requires separate key pairs and a custom ~/.ssh/config with host aliases |
| Org or enterprise GitHub | May have additional key policies or SSO requirements |
Managing Multiple GitHub Accounts
If you use both a personal and a work GitHub account on the same machine, a single SSH key won't cleanly cover both. You'll need separate key pairs and a ~/.ssh/config file that maps different hostnames to different identity files. The configuration tells Git which key to use based on the remote URL pattern.
When Things Go Wrong
- Permission denied (publickey): The public key wasn't added correctly, or the wrong key is being offered
- Agent not running: Re-run
eval "$(ssh-agent -s)"and re-add the key - Wrong remote URL: Confirm your repo uses an SSH URL (
[email protected]:user/repo.git) rather than an HTTPS URL
Whether a passphrase adds more friction than security for your workflow, or how to handle SSH keys across multiple machines and accounts, depends entirely on how you've structured your development environment.