ssh-keygen (Generating SSH Key Pairs)

# -----------------------------------------------
#  Generate an ED25519 key pair (recommended)
# -----------------------------------------------

# ssh-keygen -t ed25519 -C "{comment}"
#   -t ed25519  → Specifies ED25519 as the algorithm
#   -C          → Adds a comment to identify the key (commonly an email address or purpose)
#   → Prompts interactively for a file path and passphrase
#   Example: ssh-keygen -t ed25519 -C "tsunemori@mwpsb.go.jp"

# -----------------------------------------------
#  Generate an RSA key pair (legacy compatibility)
# -----------------------------------------------

# ssh-keygen -t rsa -b {bits} -C "{comment}"
#   -t rsa  → Specifies RSA as the algorithm
#   -b      → Specifies the key size in bits (minimum 2048, recommended 4096)
#   Example: ssh-keygen -t rsa -b 4096 -C "tsunemori@mwpsb.go.jp"

# -----------------------------------------------
#  Generate a key pair with a specified output file
# -----------------------------------------------

# ssh-keygen -t ed25519 -f {file path} -C "{comment}"
#   -f  → Specifies the output file path for the private key
#       → The public key is generated at the same path with a .pub extension
#   Example: ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_server_a -C "server_a"

# -----------------------------------------------
#  Change the passphrase
# -----------------------------------------------

# ssh-keygen -p -f {file path}
#   -p  → Changes the passphrase of an existing private key
#   Example: ssh-keygen -p -f ~/.ssh/id_ed25519

# -----------------------------------------------
#  Display the public key contents
# -----------------------------------------------

# ssh-keygen -y -f {private key file path}
#   -y  → Prints the public key corresponding to the private key to standard output
#   Example: ssh-keygen -y -f ~/.ssh/id_ed25519

# -----------------------------------------------
#  Display the key fingerprint
# -----------------------------------------------

# ssh-keygen -l -f {file path}
#   -l  → Displays the fingerprint (hash) of the key
#       → Accepts either a public key or private key path
#   -E sha256  → Specifies the hash format for the fingerprint (sha256 or md5)
#   Example: ssh-keygen -l -f ~/.ssh/id_ed25519.pub
#   Example: ssh-keygen -l -E sha256 -f ~/.ssh/id_ed25519.pub

Operation	Command	Description
Generate an ED25519 key pair	ssh-keygen -t ed25519 -C "{comment}"	Generates a key pair using the recommended ED25519 algorithm. Keys are short, processing is fast, and security strength is high.
Generate an RSA key pair	ssh-keygen -t rsa -b 4096 -C "{comment}"	Generates a key pair using the RSA algorithm. Use this when compatibility with older systems is required.
Specify the output file	ssh-keygen -t ed25519 -f {file path}	Specifies where the private key is saved. Useful when managing multiple keys for different purposes.
Change the passphrase	ssh-keygen -p -f {private key path}	Changes the passphrase of an existing private key. Also used to set a new passphrase or remove one entirely.
Display the public key contents	ssh-keygen -y -f {private key path}	Regenerates and displays the public key from the private key. Use this when the public key file has been lost.
Display the fingerprint	ssh-keygen -l -f {key file path}	Displays the fingerprint of the key. Use this to verify that a key matches the one on the server.
Specify the hash format	ssh-keygen -l -E sha256 -f {key file path}	Displays the fingerprint using the specified hash format: SHA-256 or MD5.
Register the public key on a server	ssh-copy-id -i {public key path} {user}@{host}	Appends the public key to authorized_keys on the remote server. Commonly used together with ssh-keygen.

Generate an ED25519 key pair and register it on a server

# -----------------------------------------------
#  Generate a key pair and register the public key on a server
# -----------------------------------------------

# Create the ~/.ssh/ directory if it does not already exist
# Set the permissions to 700 (readable, writable, and executable by the owner only)
mkdir -p ~/.ssh
chmod 700 ~/.ssh

# Generate an ED25519 key pair
# Including an email address or purpose in the -C option makes the key easier to manage
ssh-keygen -t ed25519 -C "tsunemori@mwpsb.go.jp"

Run the following command:

$ ssh-keygen -t ed25519 -C "tsunemori@mwpsb.go.jp"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/tsunemori/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase): (enter passphrase)
Enter same passphrase again: (enter again)
Your identification has been saved in /home/tsunemori/.ssh/id_ed25519
Your public key has been saved in /home/tsunemori/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:abcXYZ1234567890abcXYZ1234567890abcXYZ12345 tsunemori@mwpsb.go.jp
The key's randomart image is:
+--[ED25519 256]--+
|      .o+.       |
|     . =+o       |
|    . *oB .      |
+----[SHA256]-----+

The following example demonstrates this:

# Check the generated key files
# Two files are created: id_ed25519 (private key) and id_ed25519.pub (public key)
ls -la ~/.ssh/

# Register the public key on the remote server
# After this, you can connect via SSH without entering a password
ssh-copy-id -i ~/.ssh/id_ed25519.pub tsunemori@192.168.1.10

Run the following command:

$ ls -la ~/.ssh/
total 24
drwx------  2 tsunemori tsunemori 4096 Mar 25 10:00 .
drwxr-xr-x 20 tsunemori tsunemori 4096 Mar 25 09:55 ..
-rw-------  1 tsunemori tsunemori  419 Mar 25 10:00 id_ed25519
-rw-r--r--  1 tsunemori tsunemori  107 Mar 25 10:00 id_ed25519.pub

Managing multiple keys for different purposes

# -----------------------------------------------
#  Use separate keys for server A and GitHub
# -----------------------------------------------

# Generate a key for connecting to the surveillance camera server
# Using -f to specify the output path avoids overwriting an existing key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_sibyl -C "sibyl_system_server"

# Generate a key for GitHub
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_github -C "ginoza@mwpsb.go.jp"

# Add entries to ~/.ssh/config to map each host to its key
# This allows ssh to automatically select the correct key for each connection

The same logic can also be written as:

# Example ~/.ssh/config
# Assign an alias to Host, and specify the private key with IdentityFile

# Connection settings for the Sibyl system server
Host sibyl
    HostName 192.168.1.20
    User ginoza
    IdentityFile ~/.ssh/id_ed25519_sibyl

# Connection settings for GitHub
Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_ed25519_github

Run the following command:

$ ssh sibyl
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-51-generic x86_64)
ginoza@sibyl-server:~$

Verifying a key by checking its fingerprint

# -----------------------------------------------
#  Check the key fingerprint
# -----------------------------------------------

# Display the public key fingerprint in SHA-256 format
# Compare this against the fingerprint provided by the server administrator to verify the key
ssh-keygen -l -E sha256 -f ~/.ssh/id_ed25519.pub

Run the following command:

$ ssh-keygen -l -E sha256 -f ~/.ssh/id_ed25519.pub
256 SHA256:abcXYZ1234567890abcXYZ1234567890abcXYZ12345 tsunemori@mwpsb.go.jp (ED25519)

The following example demonstrates this:

# If the public key file is lost, you can regenerate it from the private key
# Write the output to a .pub file to restore it
ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub

# Verify the restored public key
cat ~/.ssh/id_ed25519.pub

Run the following command:

$ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbcXYZ1234567890abcXYZ1234567890abcXYZ tsunemori@mwpsb.go.jp

Recommended directory structure for ~/.ssh/

# -----------------------------------------------
#  Recommended permission settings for ~/.ssh/
# -----------------------------------------------

# Set the ~/.ssh/ directory itself to 700 (not visible to other users)
chmod 700 ~/.ssh

# Set private keys to 600 (readable and writable by the owner only)
# If the permissions are too loose, the SSH client will refuse to use the key
chmod 600 ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519_sibyl

# Public keys can be set to 644 (their contents are public information)
chmod 644 ~/.ssh/id_ed25519.pub
chmod 644 ~/.ssh/id_ed25519_sibyl.pub

# Set the config file to 600
chmod 600 ~/.ssh/config

# Set authorized_keys to 600
# If other users have write permission, the SSH server will reject the connection
chmod 600 ~/.ssh/authorized_keys

# Verify the permissions after applying them
ls -la ~/.ssh/

Run the following command:

$ ls -la ~/.ssh/
total 32
drwx------  2 tsunemori tsunemori 4096 Mar 25 10:30 .
drwxr-xr-x 20 tsunemori tsunemori 4096 Mar 25 09:55 ..
-rw-------  1 tsunemori tsunemori  600 Mar 25 10:30 authorized_keys
-rw-------  1 tsunemori tsunemori  300 Mar 25 10:20 config
-rw-------  1 tsunemori tsunemori  419 Mar 25 10:00 id_ed25519
-rw-r--r--  1 tsunemori tsunemori  107 Mar 25 10:00 id_ed25519.pub
-rw-------  1 tsunemori tsunemori  419 Mar 25 10:05 id_ed25519_sibyl
-rw-r--r--  1 tsunemori tsunemori  110 Mar 25 10:05 id_ed25519_sibyl.pub

ssh-keygen is a command that generates the key pair required for SSH public key authentication. It uses asymmetric cryptography: the private key is kept securely on your local machine, while only the public key is registered in ~/.ssh/authorized_keys on the server. For new keys, ED25519 is the currently recommended algorithm. Use RSA 4096-bit when compatibility with older systems is required. The passphrase encrypts the private key, significantly reducing the risk if the private key file is ever compromised. You can use ssh-agent to avoid re-entering the passphrase during a session. When connecting to multiple servers or services such as GitHub, the standard practice is to define IdentityFile entries in ~/.ssh/config to assign a specific key to each destination. For information on establishing SSH connections, see the ssh page.