Generate SSH Keys Online

By Anish Nath - Security Engineer & Cryptography Expert | Last Updated: January 23, 2025 | 4.7/5 (892 reviews)
Privacy-First No Data Stored 100% Free
SSH Key Configuration
Fixed 256-bit (≈ 3072-bit RSA)
Encrypts private key
Generated Keys

Your SSH keys will appear here

Select algorithm, key size, and click "Generate SSH Keys"

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.

SSH Key Management Guide

Quick Start: Command-Line Examples
Generate ED25519 SSH Key (Recommended) 
# Generate ED25519 key with comment
ssh-keygen -t ed25519 -C "[email protected]"

# Generate with custom filename
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_work -C "[email protected]"

# Generate with passphrase (recommended)
ssh-keygen -t ed25519 -C "[email protected]" -N "your-passphrase"

# Display public key
cat ~/.ssh/id_ed25519.pub

# Display fingerprint
ssh-keygen -lf ~/.ssh/id_ed25519.pub
# Output: 256 SHA256:ABC123... [email protected] (ED25519)
Why ED25519? Offers 128-bit security level (equivalent to RSA 3072-bit), faster operations, smaller keys (256 bits), and resistance to timing attacks. Supported since OpenSSH 6.5 (2014).
Generate RSA SSH Key 
# Generate RSA 4096-bit key (recommended size)
ssh-keygen -t rsa -b 4096 -C "[email protected]"

# Generate RSA 2048-bit key (minimum acceptable)
ssh-keygen -t rsa -b 2048 -C "[email protected]"

# Extract public key from private key
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

# Convert to PEM format (for use with openssl)
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

# Display key fingerprint
ssh-keygen -lf ~/.ssh/id_rsa.pub
# Output: 4096 SHA256:XYZ789... [email protected] (RSA)

# Extract public key using openssl
openssl rsa -in ~/.ssh/id_rsa -pubout -out public_key.pem
RSA Key Sizes: Use 2048-bit minimum (112-bit security), 4096-bit recommended for long-term security (140-bit security). Larger keys = slower operations but higher security.
Generate ECDSA SSH Key 
# Generate ECDSA P-521 key (highest security)
ssh-keygen -t ecdsa -b 521 -C "[email protected]"

# Generate ECDSA P-384 key
ssh-keygen -t ecdsa -b 384 -C "[email protected]"

# Generate ECDSA P-256 key (most common)
ssh-keygen -t ecdsa -b 256 -C "[email protected]"

# Display fingerprint
ssh-keygen -lf ~/.ssh/id_ecdsa.pub
# Output: 521 SHA256:DEF456... [email protected] (ECDSA)
Note: ECDSA uses NIST curves which have received scrutiny. ED25519 is generally preferred over ECDSA for new deployments due to its simpler design and proven security.
Format Conversion Commands 
# Convert OpenSSH private key to PEM format
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

# Convert PEM private key to OpenSSH format
ssh-keygen -p -m RFC4716 -f ~/.ssh/id_rsa.pem

# Extract public key from X.509 certificate
openssl x509 -in cert.pem -noout -pubkey > pubkey.pem

# Convert X.509 public key to SSH format
ssh-keygen -i -m PKCS8 -f pubkey.pem

# Convert SSH public key to PEM format (RSA only)
ssh-keygen -e -m PEM -f ~/.ssh/id_rsa.pub > id_rsa_pub.pem

# Import PEM public key to SSH format
ssh-keygen -i -m PEM -f id_rsa_pub.pem

# Convert PuTTY .ppk to OpenSSH format (Linux/Mac with puttygen)
puttygen key.ppk -O private-openssh -o id_rsa

# Convert OpenSSH to PuTTY .ppk format
puttygen id_rsa -o key.ppk -O private
Formats: OpenSSH (default, "-----BEGIN OPENSSH PRIVATE KEY-----"), PEM (legacy, "-----BEGIN RSA PRIVATE KEY-----"), PKCS8 (Java compatible, "-----BEGIN PRIVATE KEY-----"), RFC4716 (SSH2 public key format).
Deploy SSH Keys to Servers 
# Copy public key to remote server (easiest method)
ssh-copy-id user@hostname

# Copy specific key to remote server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@hostname

# Copy to server running on custom port
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 user@hostname

# Manual method (if ssh-copy-id not available)
cat ~/.ssh/id_ed25519.pub | ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

# Set correct permissions on remote server
ssh user@hostname "chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"

# Test SSH connection with specific key
ssh -i ~/.ssh/id_ed25519 user@hostname

# Add key to ssh-agent (avoid repeated passphrase entry)
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

# List keys in ssh-agent
ssh-add -l

# Remove all keys from ssh-agent
ssh-add -D
Security Best Practices: Always use passphrases, set restrictive permissions (private key: 600, .ssh directory: 700), use ssh-agent for convenience, rotate keys periodically, and disable password authentication after setting up key-based auth.

SSH & OpenSSH Best Practices

Essential information about SSH keys, OpenSSH configuration, and secure key management.

OpenSSH Command Line

Generate SSH Keys with ssh-keygen
# Generate ED25519 key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"

# Generate RSA 4096-bit key
ssh-keygen -t rsa -b 4096 -C "[email protected]"

# Generate ECDSA P-256 key
ssh-keygen -t ecdsa -b 256 -C "[email protected]"

# Generate key with custom filename
ssh-keygen -t ed25519 -f ~/.ssh/custom_key

# Generate key with passphrase protection
ssh-keygen -t ed25519 -N "your_passphrase"
Key Management Commands
# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@hostname

# Display key fingerprint
ssh-keygen -lf ~/.ssh/id_ed25519.pub

# Change key passphrase
ssh-keygen -p -f ~/.ssh/id_ed25519

# Convert OpenSSH to PEM format
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

# Test SSH connection
ssh -T [email protected]

SSH Client Configuration

~/.ssh/config Example
# GitHub configuration
Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes

# Production server
Host prod-server
    HostName 192.168.1.100
    User admin
    Port 22
    IdentityFile ~/.ssh/prod_key
    ServerAliveInterval 60
    ServerAliveCountMax 3

# Jump host / Bastion
Host internal-server
    HostName 10.0.0.50
    User developer
    ProxyJump bastion.example.com
    IdentityFile ~/.ssh/id_ed25519

# Global defaults
Host *
    AddKeysToAgent yes
    UseKeychain yes
    IdentityFile ~/.ssh/id_ed25519
    IdentityFile ~/.ssh/id_rsa
SSH Agent Commands
# Start ssh-agent
eval "$(ssh-agent -s)"

# Add key to agent
ssh-add ~/.ssh/id_ed25519

# List loaded keys
ssh-add -l

# Remove all keys from agent
ssh-add -D

OpenSSH Server Configuration (/etc/ssh/sshd_config)

Security Hardening
# Disable password authentication
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

# Only allow public key authentication
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Disable root login
PermitRootLogin no

# Only allow specific users/groups
AllowUsers admin developer
AllowGroups sshusers

# Strong key exchange algorithms (ED25519/RSA)
PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512,rsa-sha2-256

# Modern ciphers only
Ciphers [email protected],[email protected]

# Modern MACs
MACs [email protected],[email protected]
Additional Security
# Change default port (security through obscurity)
Port 2222

# Limit authentication attempts
MaxAuthTries 3
MaxSessions 5

# Connection timeout settings
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 60

# Disable empty passwords
PermitEmptyPasswords no

# Disable X11 forwarding if not needed
X11Forwarding no

# Log more information
LogLevel VERBOSE

# Restrict to IPv4 or IPv6
AddressFamily inet  # or inet6

# Apply config and restart
# sudo systemctl restart sshd
Important: Always test SSH configuration changes before logging out. Keep an active session open to revert changes if needed. Use sshd -t to test configuration syntax.

Official SSH & OpenSSH Resources

Official Documentation
RFC Standards
Security Guides

SSH Quick Reference

Default SSH port: 22
Config location (client): ~/.ssh/config
Config location (server): /etc/ssh/sshd_config
Authorized keys: ~/.ssh/authorized_keys
Key permissions: 600 (private), 644 (public)
~/.ssh directory: 700
Test config syntax: sshd -t
Reload SSH daemon: systemctl reload sshd

SSH Key Algorithm Comparison

Algorithm Key Size Security Level Performance Key Size (bytes) OpenSSH Support Recommendation
ED25519 256-bit (fixed) 128-bit (≈ RSA 3072) Excellent 68 bytes (pub) / 128 bytes (priv) 6.5+ (2014) Highly Recommended Best choice for new deployments
RSA 4096 4096-bit 140-bit Moderate ~800 bytes (pub) / ~3200 bytes (priv) All versions Recommended Good for compatibility and long-term security
RSA 2048 2048-bit 112-bit Good ~400 bytes (pub) / ~1600 bytes (priv) All versions Acceptable Minimum acceptable for current use
ECDSA P-521 521-bit 256-bit Very Good ~170 bytes (pub) / ~350 bytes (priv) 5.7+ (2011) Alternative Good, but ED25519 preferred
ECDSA P-384 384-bit 192-bit Very Good ~120 bytes (pub) / ~240 bytes (priv) 5.7+ (2011) Alternative Balanced option
ECDSA P-256 256-bit 128-bit Very Good ~90 bytes (pub) / ~180 bytes (priv) 5.7+ (2011) Alternative Widely supported
RSA 1024 1024-bit 80-bit Fast ~200 bytes (pub) / ~800 bytes (priv) All versions Not Recommended Insufficient security
DSA 1024-bit (max) 80-bit Good ~400 bytes Disabled 7.0+ (2015) Deprecated Do not use for new keys
Security Recommendations (2025)
  1. First Choice: Use ED25519 for all new SSH keys unless you have specific compatibility requirements.
  2. Legacy Systems: Use RSA 4096-bit if ED25519 is not supported.
  3. Always use passphrases: Protect private keys with strong passphrases (20+ characters).
  4. Avoid DSA and RSA 1024-bit: These algorithms provide insufficient security by modern standards.
  5. ECDSA considerations: While secure, ECDSA uses NIST curves that have received scrutiny. ED25519 (Curve25519) is preferred.
  6. Key rotation: Rotate SSH keys periodically (every 1-2 years for high-security environments).
  7. Store keys securely: Set proper permissions (chmod 600 for private keys, chmod 700 for ~/.ssh directory).

About This Tool & Author

Expert-Maintained Cryptography Tool

This SSH key generator is developed and maintained by Anish Nath ( @anish2good), a Security Engineer and Cryptography Expert with extensive experience in network security and cryptographic implementations. The tool has been serving the developer and DevOps community since 2018, with over 892 verified reviews averaging 4.7/5 stars.

Security & Privacy Commitment

  • No Data Collection: Your SSH keys are generated and displayed only in your browser. Nothing is stored on our servers.
  • Industry Standards: Uses proven cryptographic libraries implementing RFC 4253, RFC 5656, and RFC 8709 standards.
  • Regular Updates: Tool is actively maintained with security best practices and algorithm recommendations updated regularly.
  • Open Source Standards: Compatible with OpenSSH, PuTTY, Git, GitHub, GitLab, AWS, Azure, and all major SSH implementations.

Version History

  • v2.0 (Jan 2025): Added ED25519 as default, modernized UI, enhanced security features
  • v1.5 (2020): Added ECDSA support, improved key size options
  • v1.0 (2018): Initial release with RSA and DSA support
Official SSH Resources

Learn more about SSH keys and secure authentication:

Community

Over 500,000 developers use 8gwifi.org tools monthly

Follow @anish2good on Twitter

Trust Signals
  • 7+ years of service
  • 892 verified reviews
  • Active maintenance
  • Privacy-first approach
Quick Access