Private and public RSA keys can be generated on Unix based systems (such as Linux and FreeBSD) to provide greater security when logging into a server using SSH. The
ssh-keygen command allows you to generate, manage and convert these authentication keys.
Refer also to the Logging into an SSH Server Using PuTTY article for more information about how to use RSA and DSA keys with PuTTY on Windows, if you are connecting to an SSH server with Windows.
Create a new RSA keyfile
To create a new key it’s as simple as entering the following command, where the
-t flag is used to specify the type of key to be generated (replace firstname.lastname@example.org with your actual email address, and this will get added to the public file – it can be any comment you want, but having the email address makes sense to identify who it is when adding it to authorized_key files):
ssh-keygen -t rsa -b 4096 -C "email@example.com"
After entering the above command you will be prompted for the location to save the file. By default this will be
~/.ssh/id_rsa. Just hit the enter key to save it to the default location, or specify a different name.
You will then be prompted for a passphrase. Type this in and hit the enter key; you will then be prompted to re-enter to confirm. After doing so, two files will be created: the private keyfile is the name specified (by default
id_rsa) and the public one the same but with a
You can also specify the filename on the command line with the
-f flag like so:
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org" -f /path/to/my_rsa
Purpose of the passphrase
When creating a new RSA key, you can choose to leave the passphrase blank by simply hitting the enter key twice when prompted to enter one. This will allow you to log into an SSH server without entering a passphrase.
For heightened security you should always save a passphrase; when you log into the SSH server using your private keyfile you will be prompted to enter the passphrase. Without one, if someone were to get hold of your private keyfile they would be able to log into the SSH server without any further validation.