ssh-keygen(1)
Generate, manage, and convert SSH public and private key pairs for authentication.
Synopsis
ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa] [-N new_passphrase] [-C comment] [-f output_keyfile]Description
ssh-keygen generates SSH key pairs for public key authentication. It creates a private key (kept secret) and a public key (shared with servers). The tool also manages key conversion, fingerprints, and can change passphrases on existing keys.
By default, keys are stored in ~/.ssh/ with restricted permissions. The private key is typically encrypted with a passphrase for added security. Ed25519 is the modern default; RSA remains widely compatible.
Common options
| Flag | What it does |
|---|---|
-t | Key type: rsa, dsa, ecdsa, or ed25519 (ed25519 is recommended) |
-b | Number of bits in the key (e.g., 4096 for RSA; ignored for ed25519) |
-f | Output keyfile path (default: ~/.ssh/id_[type]) |
-N | Passphrase for the private key (empty string for no passphrase) |
-C | Comment string added to the public key (usually an email) |
-p | Change passphrase of an existing private key |
-l | Show fingerprint of a public or private key |
-v | Verbose; print key randomart (visual fingerprint) |
-e | Export public key in OpenSSH format (with -f) |
-m | Specify key format: pem, pkcs8, or rfc4716 |
-q | Quiet; suppress progress messages |
-R | Remove a host key from known_hosts file |
Examples
Generate a modern Ed25519 key pair with an email comment; prompts for output location and passphrase
ssh-keygen -t ed25519 -C '[email protected]'Create a 4096-bit RSA key at ~/.ssh/id_rsa_work with no passphrase (not recommended for security)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_work -N ''Change the passphrase on an existing Ed25519 private key
ssh-keygen -p -f ~/.ssh/id_ed25519Display the fingerprint (hash) of a public key
ssh-keygen -l -f ~/.ssh/id_ed25519.pubShow fingerprint with ASCII art visualization of the key
ssh-keygen -v -l -f ~/.ssh/id_ed25519.pubRemove github.com from ~/.ssh/known_hosts (useful after server key changes)
ssh-keygen -R github.comExport an RSA public key in PEM format for non-OpenSSH tools
ssh-keygen -e -m pem -f ~/.ssh/id_rsa.pubNon-interactively generate a key with a specified passphrase (quiet mode)
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N 'passphrase123'