Back to Commands

ssh-keygen

networkingLinux/Unix/Windows
The ssh-keygen command is one of the most frequently used commands in Linux/Unix-like operating systems. ssh-keygen The ssh-keygen command is used to generate, manage, and convert authentication keys for SSH (Secure Shell). It creates public/private key pairs for secure passwordless authentication, and provides various options for key type selection, key conversion, and key management.
See ExamplesView Syntax

Quick Reference

Command Name:

ssh-keygen

Category:

networking

Platform:

Linux/Unix/Windows

Basic Usage:

ssh-keygen [options] [arguments]

Common Use Cases

  • 1

    SSH key generation

    Generate SSH keys for secure authentication

  • 2

    Security

    Ensure secure communication between systems

  • 3

    Scripting

    Use in shell scripts to automate SSH key generation

  • 4

    Remote administration

    Administer remote systems securely

Syntax

ssh-keygen [options]

Options

Option Description
-a num Number of KDF (Key Derivation Function) rounds
-b bits Specify the number of bits in the key
-C comment Add a comment to the key
-e Export OpenSSH key to RFC4716 format
-f filename Specify the filename of the key file
-F hostname Search for hostname in known_hosts file
-H Hash hostnames in known_hosts file
-i Import key from RFC4716 format
-l Show fingerprint of key file
-m key_format Key format: PEM, PKCS8, RFC4716
-N new_passphrase Provide new passphrase
-p Change passphrase of private key file
-P passphrase Provide old passphrase
-q Quiet mode
-R hostname Remove host from known_hosts file
-t type Specify key type (rsa, dsa, ecdsa, ed25519)
-v Verbose mode
-y Read private key file and print public key

Certificate Options:

Option Description
-I certificate_id Identity string for certificate
-n principals Principals (users/hosts) for certificate
-O option Specify certificate options
-s ca_key CA (Certificate Authority) key for signing
-V validity Specify certificate validity period
-z serial Specify serial number for certificate

Examples

How to Use These Examples

The examples below show common ways to use the ssh-keygen command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

Basic Key Generation:

ssh-keygen

Generate a new SSH key pair with default settings (RSA, 2048 bits).

ssh-keygen -t ed25519

Generate a more secure Ed25519 key (recommended for new deployments).

ssh-keygen -t rsa -b 4096

Generate an RSA key with 4096 bits for stronger security.

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Add a comment to the key for easier identification.

ssh-keygen -f ~/.ssh/mykey

Specify a custom filename and path for the key pair.

Key Management:

ssh-keygen -l -f ~/.ssh/id_rsa.pub

Display the fingerprint of a public key.

ssh-keygen -lv -f ~/.ssh/id_rsa.pub

Display the fingerprint and ASCII art visual of a public key.

ssh-keygen -y -f ~/.ssh/id_rsa > id_rsa.pub

Extract the public key from a private key file.

ssh-keygen -p -f ~/.ssh/id_rsa

Change the passphrase of an existing private key.

Advanced Usage:

ssh-keygen -R hostname

Remove a host from the known_hosts file.

ssh-keygen -F hostname

Search for a hostname in known_hosts file.

ssh-keygen -H -f ~/.ssh/known_hosts

Hash the hostnames in the known_hosts file for added security.

ssh-keygen -s ca_key -I certificate_id -n user1,user2 id_rsa.pub

Create a signed SSH certificate using a CA key.

ssh-keygen -k -f krl_file -s ca_key.pub id_rsa-cert.pub

Create a Key Revocation List (KRL) to revoke a certificate.

Try It Yourself

Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

Understanding Syntax

Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

Notes

Key Types:

  • RSA: Traditional key type, widely supported. Use at least 2048 bits, preferably 4096 bits for security.
  • DSA: Digital Signature Algorithm, limited to 1024 bits and considered less secure. Not recommended for new deployments.
  • ECDSA: Elliptic Curve Digital Signature Algorithm, shorter keys with equivalent security to RSA.
  • Ed25519: Modern, secure algorithm with good performance. Recommended for new deployments where supported.

Key Security Best Practices:

  • Always protect private keys with strong passphrases
  • Set appropriate permissions: chmod 600 for private keys, chmod 644 for public keys
  • Store private keys only on trusted devices
  • Consider using a hardware security key for critical credentials
  • Regularly audit and rotate keys used for critical systems
  • Keep your SSH implementation updated to address security vulnerabilities
  • Use Ed25519 keys where possible for new deployments

SSH Certificates:

  • SSH certificates provide a more scalable way to manage SSH authentication
  • Allow you to set expiration dates for credentials
  • Simplify key management for large deployments
  • Require setting up a Certificate Authority (CA) infrastructure
  • Can specify allowed principals (users/hosts) for precise access control
  • Can be revoked using Key Revocation Lists (KRLs)

File Locations:

  • ~/.ssh/id_rsa, ~/.ssh/id_ed25519, etc.: Default location for private keys
  • ~/.ssh/id_rsa.pub, ~/.ssh/id_ed25519.pub, etc.: Default location for public keys
  • ~/.ssh/known_hosts: Database of host keys for all hosts you've connected to
  • ~/.ssh/authorized_keys: List of authorized public keys for incoming SSH
  • ~/.ssh/config: User-specific SSH configuration file

Key Management Tips:

  • Add meaningful comments to keys to identify their purpose and owner
  • Backup private keys securely - they cannot be recovered if lost
  • Use ssh-add and ssh-agent to avoid typing your passphrase repeatedly
  • Create separate keys for different purposes or levels of security
  • The ~/.ssh directory should have restricted permissions (chmod 700)
  • Use key fingerprints to verify key identity

Known_hosts Management:

  • The known_hosts file helps prevent man-in-the-middle attacks
  • Hash hostnames in known_hosts for additional privacy
  • Remove hosts with the -R option when their keys change legitimately
  • The first connection to a new host will prompt to add its key
  • Consider using SSHFP DNS records with VerifyHostKeyDNS for additional verification

Related Commands:

  • ssh - Secure Shell client for remote login
  • ssh-copy-id - Install your public key in a remote machine's authorized_keys
  • ssh-agent - Authentication agent that stores unencrypted keys in memory
  • ssh-add - Add private keys to the authentication agent
  • scp - Secure Copy, transfers files securely using SSH protocol
  • sftp - Secure FTP, provides FTP-like interface over SSH

Tips & Tricks

1

Use the -t option to specify the key type

2

Use the -b option to specify the key length

3

Use the -N option to specify a passphrase

4

Use the -f option to specify the output file

5

Use the -C option to add a comment

Common Use Cases

SSH key generation

Generate SSH keys for secure authentication

Security

Ensure secure communication between systems

Scripting

Use in shell scripts to automate SSH key generation

Remote administration

Administer remote systems securely

Data transfer

Transfer files between systems securely and efficiently

Related Commands

These commands are frequently used alongside ssh-keygen or serve similar purposes:

Explore All Commands

Use Cases

1

SSH key generation

Generate SSH keys for secure authentication

2

Security

Ensure secure communication between systems

3

Scripting

Use in shell scripts to automate SSH key generation

4

Remote administration

Administer remote systems securely

5

Data transfer

Transfer files between systems securely and efficiently

Learn By Doing

The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the ssh-keygen command works in different scenarios.

See ExamplesTry Lab Exercises
$ ssh-keygen
View All Commands