How to make an SSH key with ssh-keygen

ssh-keygen — is the simplest tool to generate ssh key. It comes pre-installed in most of Linux distros and Mac. For windows users the easiest way is to use Git Bash which comes together with Git (even portable) or to use WSL.

If you managed not to have it — it is a part of OpenSSH. For debian branch distros (includes ubuntu) install openssh-client package, on arch openssh.

The basic usage

$ ssh-keygen

You’ll be prompted to provide a path where to store generated certificate, with default option pointing to ~/.ssh/id_rsa. If your intent is to use the certification for personal identification on current machine accept the default option, and if the file already exists and you doubt overwriting it just giv it another name staring with id_ like ~/.ssh/id_me.

The private key will be written to the path you’ve chosen, the public key will be stored next to it with the .pub postfix, like on the example below.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/
The key fingerprint is:
SHA256:pZ34ZJacthnDwNMuRIMdbJ87xpFJAv12JXBPxJnae4E username@hostname
The key's randomart image is:
+---[RSA 3072]----+
|      .* |
|      .o*o...o=  |
|       .==o+ =o  |
|       . @O+oE.. |
|        So/+   ..|
|         B==  . .|
|         .+.   . |
|                 |
|                 |


For more detailed reference you can refer to ssh-keygen.1 on arch manual manual pages. For a quick reference the most commonly used ones listed below.

-t rsa | dsa | ecdsa | ed25519 encryption type, defaults to rsa as most commonly used.

-b number key size, for rsa defaults to 3072, for other algorithms refer to ssh-keygen.1#b.

-C comment typically used for username, defaults to current user. (but still just a comment, don’t have to match any specific user id)

-f filename output file name for private key, the public key will have .pub appended to filename.

-P passphrase obviously a passphrase

© 2020 Dennis Tretyakov