Description: Learn how to create SSH key pairs using the ssh-keygen command in this comprehensive guide. Discover the different types of keys available, including RSA and ECDSA, and the various key sizes to choose from. Plus, explore how to generate keys in silent mode for a promptless experience. Strengthen your SSH security with this essential skill.
To generate a ssh key pair in bash environment, it’s general prastice to use the ssh-keygen to create a ssh key pair file. [Open BSD manual]
ssh-keygen -t {type of key} -b {key length}
The -t option indicates the type of key, the possible values are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or “rsa”.
The option of rsa and ecdsa is relative common options, where the rsa key is very common and have been widely adopted for long time since 1970s.
The -b options indicates the key length of the key pair. The value is different for different type of key. For rsa key, key length of 3072 is considered as secure enough, but due to the computation power increate of modern computer increase so fast, personally suggestion to create rsa key for at least 4096.
An example script:
rsa -t rsa -b 8192
when exeuting the above scription, below output would be shown and prompt for user reply.
Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa): {input prompt 1}
Enter passphrase (empty for no passphrase): {input prompt 2}
Enter same passphrase again: {input prompt 3}
The key fingerprint is:
SHA256:824QTt/eee7End+KwKjsLlViqIqp3QmxXOvlBeXNMq0 user@localhost
The key's randomart image is:
+---[RSA 8192]----+
| |
| |
| . |
| o * + |
| 8*8 *o+ + |
| . *o+.++=..|
| +.+oo *+oo|
| . *+B +)ooo|
| ..+.s+JoMo +|
+----[SHA256]-----+
Prompt for where to store the key pair.
If user press Enter directly (empyt input), the file will be stored under folder ~/.ssh/.
Prompt for the passphrass for the key pair
If user press Enter directly (empty input), there will be no passphrase for the key pair.
If the key type is rsa, the key pair will be named as id_rsa and id_rsa.pub. The .pub file is the public key should be stored in the authorized_keys on server. If the key type is ecdsa, the key pair will be named as id_ecdsa and id_ecdsa.pub.
Slient example script: The below script show sample script for slient mode of ssh-keygen, this would prevent the input prompts show when execute the commands.
ssh-keygen -t rsa -b 8192 -N '{passphrase}' -f {key file location}
The passphrase for the key pair, if input ‘’(empty string) there will be no passphrase for the key pair.
The key file location for the private key.
e.g. if key file locaion is set to ~/.ssh/id_rsa, the private key will be ~/.ssh/id_rsa and public key will be ~/.ssh/id_rsa.pub.