How to Generate SSH Keys on Linux with ssh-keygen

Secure Shell (SSH) is a network protocol for creating a secure connection between a client and a server. With SSH, you can run commands on remote machines, create tunnels, forward ports, and more.

SSH provides multiple authentication mechanisms. The two most common authentication methods are password-based and public-key-based. Public-key authentication is more secure and convenient than traditional password authentication.

This guide shows you how to create SSH keys on Linux, copy them to remote servers, and set up passwordless SSH login.

Quick Reference #

Prerequisites #

Before you begin, make sure you have:

• A Linux system with an SSH client installed (included by default on most distributions)
• Access to a remote server you want to connect to

Check for Existing SSH Keys #

Before generating a new key pair, check if you already have SSH keys on your system:

ls -l ~/.ssh/id_*.pub

If you see files like id_rsa.pub or id_ed25519.pub, you already have SSH keys. You can either use the existing keys or generate new ones. Generating a new key pair with the same name will overwrite the old one.

If the command returns No such file or directory, you don’t have SSH keys and may proceed with generating a new pair.

Generate an SSH Key Pair #

The ssh-keygen command creates a new SSH key pair. You can choose between different key types:

• Ed25519 (recommended) - Modern, secure, and fast
• RSA - Widely compatible, use 4096 bits for security

Generate an Ed25519 Key (Recommended) #

Ed25519 keys are shorter, faster, and considered more secure than RSA keys:

ssh-keygen -t ed25519 -C "your_email@example.com"

Generate an RSA Key #

If you need compatibility with legacy systems that don’t support Ed25519, use RSA with 4096 bits:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

The -C flag adds a comment (usually your email) to help identify the key.

Key Generation Process #

After running the command, you’ll be prompted to specify the file location:

Enter file in which to save the key (/home/username/.ssh/id_ed25519):

Press Enter to accept the default location, or specify a custom path.

Next, you’ll be prompted to enter a passphrase:

Enter passphrase (empty for no passphrase):

A passphrase adds another layer of security. If someone gets your private key, they’ll still need the passphrase to use it. Keep in mind, you’ll have to enter the passphrase each time you use the key unless you use an SSH agent.

Press Enter for no passphrase, or type a secure passphrase and confirm it.

The output will look similar to this:

Your identification has been saved in /home/username/.ssh/id_ed25519
Your public key has been saved in /home/username/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:AbCdEf1234567890AbCdEf1234567890AbCdEf12 your_email@example.com

The command creates two files:

• ~/.ssh/id_ed25519 - Your private key (keep this secret)
• ~/.ssh/id_ed25519.pub - Your public key (safe to share)

Copy the Public Key to the Remote Server #

To use SSH key authentication, you need to copy your public key to the remote server.

Using ssh-copy-id (Recommended) #

The easiest way is to use the ssh-copy-id command:

ssh-copy-id username@server_ip

You’ll be prompted for the remote user’s password:

username@server_ip's password:

After entering the password, your public key will be added to the remote server’s ~/.ssh/authorized_keys file:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'username@server_ip'"
and check to make sure that only the key(s) you wanted were added.

Manual Method #

If ssh-copy-id is not available, you can copy the key manually:

cat ~/.ssh/id_ed25519.pub | ssh username@server_ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

This command:

1. Reads your public key
2. Connects to the remote server
3. Creates the .ssh directory if it doesn’t exist
4. Appends the key to the authorized_keys file
5. Sets the correct permissions

Test SSH Key Authentication #

After copying your public key, check the connection:

ssh username@server_ip

If everything is set up correctly, you’ll be logged in without being prompted for a password. If you set a passphrase for your key, you’ll be asked to enter it.

Using the SSH Agent #

If you set a passphrase on your key, entering it for every connection can be tedious. The SSH agent stores your decrypted private key in memory, so you only need to enter the passphrase once per session.

Start the SSH agent:

eval "$(ssh-agent -s)"

Agent pid 12345

Add your private key to the agent:

ssh-add ~/.ssh/id_ed25519

You’ll be prompted for your passphrase. After entering it, subsequent SSH connections will use the cached key without asking for the passphrase again.

To list keys currently loaded in the agent:

ssh-add -l

Managing SSH Keys #

View Your Public Key #

To display your public key (useful for adding to services like GitHub):

cat ~/.ssh/id_ed25519.pub

List All Keys #

To see all key files in your SSH directory:

ls -la ~/.ssh/

Remove a Key from the Agent #

To remove a specific key from the SSH agent:

ssh-add -d ~/.ssh/id_ed25519

To remove all keys from the agent:

ssh-add -D

Delete a Key Pair #

To permanently delete a key pair, remove both the private and public key files:

rm ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub

Disable Password Authentication (Optional) #

For better security, you can disable password authentication on your server after setting up SSH keys.

Connect to your server and edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find and modify the following settings:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Save the file and restart the SSH service:

# Debian/Ubuntu
sudo systemctl restart ssh

# CentOS/RHEL/Fedora
sudo systemctl restart sshd

Troubleshooting #

Permission Denied (publickey) #

If you see this error, check the following:

1. Verify the public key is in the remote server’s ~/.ssh/authorized_keys:

   Terminal

   cat ~/.ssh/authorized_keys

2. Check permissions on the remote server:

   Terminal

   chmod 700 ~/.ssh
   chmod 600 ~/.ssh/authorized_keys

3. Ensure the private key has correct permissions locally:

   Terminal

   chmod 600 ~/.ssh/id_ed25519

SSH Agent Not Running #

If you get an error about the agent, start it with:

eval "$(ssh-agent -s)"

Wrong Key Being Used #

To specify which key to use for a connection:

ssh -i ~/.ssh/my_custom_key username@server_ip

For permanent configuration, add an entry to ~/.ssh/config:

Host myserver
    HostName server_ip
    User username
    IdentityFile ~/.ssh/my_custom_key

Then connect using:

ssh myserver

Conclusion #

You’ve learned how to create SSH keys on Linux, copy them to remote servers, and set up passwordless login. SSH keys are safer than passwords and make connecting to remote servers easier.

To keep your SSH connections organized, check out our guide on using the SSH config file . You can also change the default SSH port for extra security.

If you have questions or feedback, feel free to leave a comment.

About the authors

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page