Back to Commands

ssh-keygen

networkingLinux/Unix/Windows
The ssh-keygen command is one of the most frequently used commands in Linux/Unix-like operating systems. ssh-keygen The ssh-keygen command is used to generate, manage, and convert authentication keys for SSH (Secure Shell). It creates public/private key pairs for secure passwordless authentication, and provides various options for key type selection, key conversion, and key management.
See ExamplesView Syntax

Quick Reference

Command Name:

ssh-keygen

Category:

networking

Platform:

Linux/Unix/Windows

Basic Usage:

ssh-keygen [options] [arguments]

Common Use Cases

  • 1

    Key generation

    Create public/private key pairs for passwordless SSH authentication

  • 2

    Key management

    Manage, convert, and examine SSH keys and their properties

  • 3

    Certificate management

    Create and manage SSH certificates for scalable authentication

  • 4

    Host verification

    Manage and verify SSH host keys to prevent man-in-the-middle attacks

Syntax

ssh-keygen [options]

Options

Option Description
-a num Number of KDF (Key Derivation Function) rounds
-b bits Specify the number of bits in the key
-C comment Add a comment to the key
-e Export OpenSSH key to RFC4716 format
-f filename Specify the filename of the key file
-F hostname Search for hostname in known_hosts file
-H Hash hostnames in known_hosts file
-i Import key from RFC4716 format
-l Show fingerprint of key file
-m key_format Key format: PEM, PKCS8, RFC4716
-N new_passphrase Provide new passphrase
-p Change passphrase of private key file
-P passphrase Provide old passphrase
-q Quiet mode
-R hostname Remove host from known_hosts file
-t type Specify key type (rsa, dsa, ecdsa, ed25519)
-v Verbose mode
-y Read private key file and print public key

Certificate Options:

Option Description
-I certificate_id Identity string for certificate
-n principals Principals (users/hosts) for certificate
-O option Specify certificate options
-s ca_key CA (Certificate Authority) key for signing
-V validity Specify certificate validity period
-z serial Specify serial number for certificate

Examples

How to Use These Examples

The examples below show common ways to use the ssh-keygen command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

#

Basic Key Generation:

ssh-keygen

Generate a new SSH key pair with default settings (RSA, 2048 bits).

ssh-keygen -t ed25519

Generate a more secure Ed25519 key (recommended for new deployments).

ssh-keygen -t rsa -b 4096

Generate an RSA key with 4096 bits for stronger security.

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Add a comment to the key for easier identification.

ssh-keygen -f ~/.ssh/mykey

Specify a custom filename and path for the key pair.

Key Management:

ssh-keygen -l -f ~/.ssh/id_rsa.pub

Display the fingerprint of a public key.

ssh-keygen -lv -f ~/.ssh/id_rsa.pub

Display the fingerprint and ASCII art visual of a public key.

ssh-keygen -y -f ~/.ssh/id_rsa > id_rsa.pub

Extract the public key from a private key file.

ssh-keygen -p -f ~/.ssh/id_rsa

Change the passphrase of an existing private key.

Advanced Usage:

ssh-keygen -R hostname

Remove a host from the known_hosts file.

ssh-keygen -F hostname

Search for a hostname in known_hosts file.

ssh-keygen -H -f ~/.ssh/known_hosts

Hash the hostnames in the known_hosts file for added security.

ssh-keygen -s ca_key -I certificate_id -n user1,user2 id_rsa.pub

Create a signed SSH certificate using a CA key.

ssh-keygen -k -f krl_file -s ca_key.pub id_rsa-cert.pub

Create a Key Revocation List (KRL) to revoke a certificate.

Try It Yourself

Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

Understanding Syntax

Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

Notes

Key Types:

  • RSA: Traditional key type, widely supported. Use at least 2048 bits, preferably 4096 bits for security.
  • DSA: Digital Signature Algorithm, limited to 1024 bits and considered less secure. Not recommended for new deployments.
  • ECDSA: Elliptic Curve Digital Signature Algorithm, shorter keys with equivalent security to RSA.
  • Ed25519: Modern, secure algorithm with good performance. Recommended for new deployments where supported.

Key Security Best Practices:

  • Always protect private keys with strong passphrases
  • Set appropriate permissions: chmod 600 for private keys, chmod 644 for public keys
  • Store private keys only on trusted devices
  • Consider using a hardware security key for critical credentials
  • Regularly audit and rotate keys used for critical systems
  • Keep your SSH implementation updated to address security vulnerabilities
  • Use Ed25519 keys where possible for new deployments

SSH Certificates:

  • SSH certificates provide a more scalable way to manage SSH authentication
  • Allow you to set expiration dates for credentials
  • Simplify key management for large deployments
  • Require setting up a Certificate Authority (CA) infrastructure
  • Can specify allowed principals (users/hosts) for precise access control
  • Can be revoked using Key Revocation Lists (KRLs)

File Locations:

  • ~/.ssh/id_rsa, ~/.ssh/id_ed25519, etc.: Default location for private keys
  • ~/.ssh/id_rsa.pub, ~/.ssh/id_ed25519.pub, etc.: Default location for public keys
  • ~/.ssh/known_hosts: Database of host keys for all hosts you've connected to
  • ~/.ssh/authorized_keys: List of authorized public keys for incoming SSH
  • ~/.ssh/config: User-specific SSH configuration file

Key Management Tips:

  • Add meaningful comments to keys to identify their purpose and owner
  • Backup private keys securely - they cannot be recovered if lost
  • Use ssh-add and ssh-agent to avoid typing your passphrase repeatedly
  • Create separate keys for different purposes or levels of security
  • The ~/.ssh directory should have restricted permissions (chmod 700)
  • Use key fingerprints to verify key identity

Known_hosts Management:

  • The known_hosts file helps prevent man-in-the-middle attacks
  • Hash hostnames in known_hosts for additional privacy
  • Remove hosts with the -R option when their keys change legitimately
  • The first connection to a new host will prompt to add its key
  • Consider using SSHFP DNS records with VerifyHostKeyDNS for additional verification

Related Commands:

  • ssh - Secure Shell client for remote login
  • ssh-copy-id - Install your public key in a remote machine's authorized_keys
  • ssh-agent - Authentication agent that stores unencrypted keys in memory
  • ssh-add - Add private keys to the authentication agent
  • scp - Secure Copy, transfers files securely using SSH protocol
  • sftp - Secure FTP, provides FTP-like interface over SSH

Tips & Tricks

1

Use Ed25519 keys: ssh-keygen -t ed25519 for more secure and faster modern keys

2

Add useful comments: ssh-keygen -t rsa -b 4096 -C "work laptop key" to identify keys later

3

Secure your keys: chmod 600 ~/.ssh/id_rsa to set proper permissions on private keys

4

Check key fingerprints: ssh-keygen -l -f ~/.ssh/id_rsa.pub to verify key identity

5

See visual key representation: ssh-keygen -lv -f ~/.ssh/id_rsa.pub for visual fingerprint

6

Change your passphrase: ssh-keygen -p -f ~/.ssh/id_rsa to update passphrase without new key

7

Use stronger KDF: ssh-keygen -t rsa -b 4096 -a 100 for stronger passphrase protection

8

Multiple key types: Maintain different keys (RSA, Ed25519) for different services

9

Restore public key: ssh-keygen -y -f ~/.ssh/id_rsa > id_rsa.pub if you lose the public key

Common Use Cases

Key generation

Create public/private key pairs for passwordless SSH authentication

Key management

Manage, convert, and examine SSH keys and their properties

Certificate management

Create and manage SSH certificates for scalable authentication

Host verification

Manage and verify SSH host keys to prevent man-in-the-middle attacks

Key conversion

Convert between different key formats and show key fingerprints

Related Commands

ssh

ssh

View command

ssh-copy-id

ssh-copy-id

View command

ssh-agent

ssh-agent

View command

ssh-add

ssh-add

View command

scp

scp

View command

sftp

sftp

View command

ssh-import-id

ssh-import-id

View command

Learn By Doing

The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the ssh-keygen command works in different scenarios.

See ExamplesTry Lab Exercises
$ ssh-keygen
View All Commands