ssh-keygen — Generate and Manage SSH Keys

ssh-keygen is OpenSSH's built-in tool for creating and managing SSH key pairs. A single command generates a modern Ed25519 or classic RSA pair, lets you protect it with a passphrase, and produces the public key you copy to your server – from that point on, you log in without a password. It also handles known_hosts maintenance, fingerprint verification, format conversion, and full SSH-certificate workflows.

Generate Keys

ssh-keygen -t ed25519 — Generate an Ed25519 key pair (modern, recommended).

ssh-keygen -t ed25519 -C 'user@example.com'

ssh-keygen -t rsa -b 4096 — Generate an RSA key pair with 4096 bits.

ssh-keygen -t rsa -b 4096 -C 'user@example.com'

ssh-keygen -t ed25519 -f <file> — Generate a key and save to a custom filename.

ssh-keygen -t ed25519 -f ~/.ssh/deploy_key

ssh-keygen -t ed25519 -N '' — Generate a key without a passphrase (for automation).

ssh-keygen -t ed25519 -N '' -f ~/.ssh/ci_key

ssh-keygen -t ecdsa -b 521 — Generate an ECDSA key with 521-bit curve.

ssh-keygen -t ecdsa -b 521

Key Info & Fingerprints

ssh-keygen -l -f <key> — Show the fingerprint of a key.

ssh-keygen -l -f ~/.ssh/id_ed25519.pub

ssh-keygen -l -E md5 -f <key> — Show fingerprint in MD5 format. — MD5 is deprecated; legacy compatibility only.

ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub

ssh-keygen -lv -f <key> — Show fingerprint with visual ASCII art (randomart).

ssh-keygen -lv -f ~/.ssh/id_ed25519.pub

ssh-keygen -y -f <private-key> — Extract the public key from a private key.

ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub

Passphrase Management

ssh-keygen -p -f <key> — Change the passphrase of a private key.

ssh-keygen -p -f ~/.ssh/id_ed25519

ssh-keygen -p -f <key> -N '' -P '<old>' — Remove passphrase from a key. — passphrase is exposed in shell history; use only in controlled environments.

ssh-keygen -p -f ~/.ssh/id_ed25519 -N '' -P 'oldpassphrase'

known_hosts Management

ssh-keygen -R <host> — Remove a host from known_hosts (after key change).

ssh-keygen -R server.example.com

ssh-keygen -F <host> — Search for a host in known_hosts.

ssh-keygen -F github.com

ssh-keygen -H -f ~/.ssh/known_hosts — Hash all hostnames in known_hosts (for privacy).

ssh-keygen -H -f ~/.ssh/known_hosts

ssh-keyscan <host> — Fetch the public key of a remote host.

ssh-keyscan github.com >> ~/.ssh/known_hosts

ssh-keyscan -t ed25519 <host> — Fetch only a specific key type.

ssh-keyscan -t ed25519 github.com

Format Conversion

ssh-keygen -e -f <key> -m RFC4716 — Export public key in RFC 4716 format (SSH2).

ssh-keygen -e -f ~/.ssh/id_ed25519.pub -m RFC4716

ssh-keygen -e -f <key> -m PEM — Export public key in PEM format.

ssh-keygen -e -f ~/.ssh/id_rsa.pub -m PEM

ssh-keygen -i -f <key> -m RFC4716 — Import a key from RFC 4716 format to OpenSSH format.

ssh-keygen -i -f key.pub -m RFC4716

Certificates & Signing

ssh-keygen -s <ca-key> -I <id> -n <principals> <key>.pub — Sign a user key with a CA key (SSH certificates).

ssh-keygen -s ca_key -I user_john -n john,admin john.pub

ssh-keygen -s <ca-key> -I <id> -h <host-key>.pub — Sign a host key with a CA key.

ssh-keygen -s ca_key -I server.example.com -h ssh_host_ed25519_key.pub

ssh-keygen -L -f <cert> — Show details of an SSH certificate.

ssh-keygen -L -f john-cert.pub

ssh-keygen -Y sign -f <key> -n <namespace> <file> — Sign a file using an SSH key.

ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n file release.tar.gz

ssh-keygen -Y verify -f <allowed-signers> -I <id> -n <namespace> -s <sig> < <file> — Verify a file signature.

ssh-keygen -Y verify -f allowed_signers -I user@example.com -n file -s release.tar.gz.sig < release.tar.gz

Conclusion

ssh-keygen gives you everything you need for secure, passwordless authentication – from key generation to certificate issuance. Reach for Ed25519 in everyday use: compact, fast, and cryptographically current. Always protect private keys with a passphrase and pair them with an SSH agent so you only need to enter it once per session.