ssh-keygen Linux: Complete Guide to Generate SSH Key Pairs Securely

SSH key authentication is one of the most secure methods for connecting to remote servers. The ssh-keygen command is a fundamental Linux tool that generates SSH key pairs, providing a more secure alternative to password-based authentication. This comprehensive guide will walk you through everything you need to know about using ssh-keygen effectively.

What is ssh-keygen?

The ssh-keygen command is a standard utility included with OpenSSH that creates public and private key pairs for SSH authentication. These keys use cryptographic algorithms to establish secure connections without requiring passwords, making your remote access both more secure and convenient.

Key Components

• Private Key: Kept secret on your local machine
• Public Key: Shared with remote servers you want to access
• Passphrase: Optional additional security layer for your private key

Basic ssh-keygen Syntax

ssh-keygen [options]

The most basic command generates a default RSA key pair:

ssh-keygen

Example Output

Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/username/.ssh/id_rsa
Your public key has been saved in /home/username/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:K7tB2qY9X3mZ1vN8pL4sR6wE2qT5yU8iO9pA3sD7fG0 username@hostname
The key's randomart image is:
+---[RSA 3072]----+
|        .        |
|       o .       |
|      . = .      |
|     . * +       |
|    . S = .      |
|   . o B +       |
|    = * B .      |
|   o.*.+ =       |
|  ..o=E=+.       |
+----[SHA256]-----+

SSH Key Types and Algorithms

Different cryptographic algorithms offer varying levels of security and performance:

RSA Keys

# Generate RSA key (default 3072 bits)
ssh-keygen -t rsa

# Generate RSA key with specific bit length
ssh-keygen -t rsa -b 4096

ECDSA Keys

# Generate ECDSA key
ssh-keygen -t ecdsa

# Generate ECDSA key with specific bit length
ssh-keygen -t ecdsa -b 521

Ed25519 Keys (Recommended)

# Generate Ed25519 key (most secure and efficient)
ssh-keygen -t ed25519

Essential ssh-keygen Options

Step-by-Step Key Generation Examples

Example 1: Generate Ed25519 Key with Custom Name

ssh-keygen -t ed25519 -f ~/.ssh/production_server -C "[email protected]"

Output:

Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): [enter your passphrase]
Enter same passphrase again: [confirm passphrase]
Your identification has been saved in /home/username/.ssh/production_server
Your public key has been saved in /home/username/.ssh/production_server.pub
The key fingerprint is:
SHA256:mH5tY8nP2qR7sK9vL3xW6zA1bC4dE5fG7hI8jK0mN9oP [email protected]
The key's randomart image is:
+--[ED25519 256]--+
|     .+.         |
|    .o.o         |
|   . .= .        |
|    o+ =         |
|   ..oS +        |
|  . .=.+ .       |
|   + +*.o        |
|  . =.@++        |
|   E.@*=+        |
+----[SHA256]-----+

Example 2: Generate RSA Key with Maximum Security

ssh-keygen -t rsa -b 4096 -f ~/.ssh/secure_rsa -C "[email protected]" -N "strongpassphrase123!"

Example 3: Generate Multiple Keys for Different Servers

# Development server key
ssh-keygen -t ed25519 -f ~/.ssh/dev_server -C "[email protected]"

# Production server key
ssh-keygen -t ed25519 -f ~/.ssh/prod_server -C "[email protected]"

# Database server key
ssh-keygen -t ed25519 -f ~/.ssh/db_server -C "[email protected]"

Interactive Key Generation Walkthrough

When you run ssh-keygen without the -N option, it will prompt you interactively:

$ ssh-keygen -t ed25519 -C "[email protected]"

Step 1: Choose file location

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/username/.ssh/id_ed25519): [press Enter for default or type custom path]

Step 2: Enter passphrase

Enter passphrase (empty for no passphrase): [type secure passphrase or press Enter]

Step 3: Confirm passphrase

Enter same passphrase again: [confirm your passphrase]

Working with SSH Key Files

Default File Locations

• RSA: ~/.ssh/id_rsa (private), ~/.ssh/id_rsa.pub (public)
• ECDSA: ~/.ssh/id_ecdsa (private), ~/.ssh/id_ecdsa.pub (public)
• Ed25519: ~/.ssh/id_ed25519 (private), ~/.ssh/id_ed25519.pub (public)

Viewing Your Public Key

# Display public key content
cat ~/.ssh/id_ed25519.pub

# Example output:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG8... [email protected]

Checking Key Fingerprint

# Show fingerprint of existing key
ssh-keygen -lf ~/.ssh/id_ed25519.pub

# Output:
256 SHA256:mH5tY8nP2qR7sK9vL3xW6zA1bC4dE5fG7hI8jK0mN9oP [email protected] (ED25519)

Advanced ssh-keygen Features

Changing Key Passphrase

# Change passphrase of existing key
ssh-keygen -p -f ~/.ssh/id_ed25519

Converting Key Formats

# Convert to different format
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

Generating Key from Existing Key

# Generate public key from private key
ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub

Security Best Practices

Key Selection Guidelines

• Recommended: Ed25519 for new deployments (fastest, most secure)
• Alternative: RSA 4096-bit for legacy system compatibility
• Avoid: DSA keys (deprecated and insecure)

Passphrase Security

# Generate key with strong passphrase
ssh-keygen -t ed25519 -C "[email protected]" -N "MyStr0ng!P@ssw0rd2024"

File Permissions

# Set correct permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

SSH Config for Multiple Keys

Create ~/.ssh/config to manage multiple keys:

# Development server
Host dev-server
    HostName dev.company.com
    User developer
    IdentityFile ~/.ssh/dev_server

# Production server
Host prod-server
    HostName prod.company.com
    User admin
    IdentityFile ~/.ssh/prod_server

# Database server
Host db-server
    HostName db.company.com
    User dbadmin
    IdentityFile ~/.ssh/db_server

Common ssh-keygen Commands

Quick Reference

# Generate default RSA key
ssh-keygen

# Generate Ed25519 key (recommended)
ssh-keygen -t ed25519

# Generate key with custom filename and comment
ssh-keygen -t ed25519 -f ~/.ssh/mykey -C "[email protected]"

# Generate key without passphrase (automated deployment)
ssh-keygen -t ed25519 -N "" -f ~/.ssh/automation_key

# Check key fingerprint
ssh-keygen -lf ~/.ssh/id_ed25519.pub

# Change key passphrase
ssh-keygen -p -f ~/.ssh/id_ed25519

Troubleshooting Common Issues

Permission Denied Errors

# Fix SSH directory permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/*.pub

Key Already Exists

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
/home/username/.ssh/id_ed25519 already exists.
Overwrite (y/n)? n

Either choose a different filename or use -f with a unique name.

Checking SSH Agent

# List loaded keys
ssh-add -l

# Add key to agent
ssh-add ~/.ssh/id_ed25519

Batch Key Generation Script

For generating multiple keys programmatically:

#!/bin/bash
# batch_keygen.sh

SERVERS=("web" "db" "api" "cache")
EMAIL="[email protected]"

for server in "${SERVERS[@]}"; do
    echo "Generating key for $server server..."
    ssh-keygen -t ed25519 -f ~/.ssh/${server}_server -C "$EMAIL" -N ""
    echo "Generated ~/.ssh/${server}_server"
done

Key Management Best Practices

• Rotate Keys Regularly: Generate new keys every 1-2 years
• Use Strong Passphrases: Minimum 15 characters with mixed case, numbers, and symbols
• Backup Keys Securely: Store private keys in encrypted backup solutions
• Unique Keys per Service: Don’t reuse the same key across multiple servers
• Monitor Key Usage: Regularly audit authorized_keys files
• Remove Unused Keys: Clean up old keys from servers when no longer needed

Conclusion

The ssh-keygen command is an essential tool for Linux system administrators and developers. By understanding its various options and following security best practices, you can establish robust, secure SSH connections to your remote systems. Remember to use Ed25519 keys for new deployments, implement strong passphrases, and maintain proper file permissions for maximum security.

Regular practice with these commands and techniques will make SSH key management second nature, significantly improving your system security posture while streamlining your remote access workflow.