Generate an SSH Key Pair: Survival Guide

How do I generate an SSH Key Pair? Where do I store it and how do I manage them? What is the difference between a public key and a private key?

If these are questions that nag at you or have been wandering through your mind, have no fear, we'll tackle them all and leave you with a clear path forward with some quick steps to generate you very own SSH keys in a few minutes or less...

What is an SSH Key?

An SSH key is something which allows us to establish a secure shell (SSH) communication layer over an unencrypted network. Without unpacking too much here, an SSH Key consists of two parts:

  1. Private Key - secret key only known to you
  2. Public Key - what you give to other resources (servers, applications, etc.) to confirm "you are you"

These keys are used in a process known as SSH Key Authentication where SSH communication verifies that the same person offering the public key also possesses the private key (without transferring the private key).

The Wikipedia article for Secure Shell offers a wealth of detail for those that want to go into the weeds on this.

Creating your SSH key pair

As in everything, windows has it's own set of challenges as there are no natively installed utilities for generating an ssh key... I'll cut to the chase and suggest via Git Bash. For the rest of this article I will assume you are using Git Bash in which case you can follow along the same as the Linux steps.

Mac/Linux or Windows Git Bash:

  1. Open up a terminal
  2. From the command prompt run ssh-keygen:

$ ssh-keygen
Output:

It will by default prompt you to save to your user's .ssh folder with the name id_rsa

To avoid naming conflicts or overwriting existing keys, choose a name that is unique that you will remember.

  1. Do not enter a passphrase - just leave this empty
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

Now our keys are created and saved (both private and public) and saved to the folder you specified. If you only changed the filename, your keys will be located in the ~/.ssh directory

Your identification has been saved in /Users/my_username/.ssh/bitbucket_id_rsa.
Your public key has been saved in /Users/my_username/.ssh/bitbucket_id_rsa.pub.
The key fingerprint is:
SHA256:sdsd8wehwefhiwehfweh8whefknwkwe8wefwefwefwef my_username@my_computer.local
The key's randomart image is:
+---[RSA 2048]----+
|        o .      |
|         o x     |
|        .   =    |
|       . o.o = o.|
|      x So+ =.o.E|
|   . . oo. + +o +|
|  . o. .o.= .xo+o|
|   o.oxoo+ +o.o=.|
|   .oo+++. .. +. |
+----[SHA256]-----+

We can double check this by doing an ls of our .ssh directory:

$ ls -l ~/.ssh
Output:

-rw-------  1 my_username  staff  1843 Mar 23 07:55 bitbucket_id_rsa
-rw-r--r--  1 my_username  staff   413 Mar 23 07:55 bitbucket_id_rsa.pub

Other options

You may also want to add a comment field to the public key to identify it more easily. This can be done by adding a -C flag with the comment enclosed in
double quotes:

$ ssh-keygen -C "user@email.com"

Or

$ ssh-keygen -C "bitbucket.com"

etc...

Managing your keys

There are a number of options for managing your keys once you've generated them both locally and beyond. Choosing the right strategy will help you stay organized, efficient and may even prevent accidental lockout due to misplaced/deleted keys.

For a free and simple local solution, I'd recommend ssh-agent (see instructions below). For a more global option people have used other authentication tools (Lastpass, etc.) or secure cloud-storage (Google Drive, Amazon S3, etc.)

Another more global solution might be to use a cross-platform SSH terminal client application such as Prompt 2 or Termius. Once your keys are loaded to these applications they are instantly available from whatever client or system you are using these applications on.

Without getting too deep into security best-practice, use care with your SSH keys as losing control of your private key could be disastrous depending on what you are doing with it.

ssh-agent

This is a nice option for managing ssh keys locally on your machine

  1. Use the eval command to run ssh-agent

$ eval "$(ssh-agent)"
Agent pid 323

  1. Add the key to ssh-agent by using the ssh-add command:
Mac:

$ ssh-add -K ~/.ssh/bitbucket_id_rsa
Identity added: /Users/my_username/.ssh/bitbucket_id_rsa (my_username@my_computer.local)

Linux/Windows Git Bash:

$ ssh-add ~/.ssh/bitbucket_id_rsa
Identity added: /Users/my_username/.ssh/bitbucket_id_rsa (my_username@my_computer.local)

Jeff Jones

  • New Jersey

Subscribe to Out Of My Head

Stay up to date! Get all the latest & greatest posts delivered straight to your inbox.