An SSH key allows you to log into your server without a password. This guide describes creating SSH keys using a Linux, Mac, or Windows workstation in OpenSSH format, suitable for use with Vultr server instances.
OpenSSH is standard and should be present on macOS and most Linux distributions. We also have installation instructions for Windows 10 users. Follow these steps to create an SSH key with the OpenSSH utilities.
Generate your key with
ssh-keygen, substituting your email address.
$ ssh-keygen -t ed25519 -C "firstname.lastname@example.org"
Note: If you use a legacy system that doesn't support the Ed25519 algorithm, use:
ssh-keygen -t rsa -b 4096 -C "email@example.com"
By default, the keys are stored in the ~/.ssh directory. Most SSH clients automatically use these default filenames:
|Algorithm||Public key||Private key|
|RSA (at least 2048-bit key size)||id_rsa.pub||id_rsa|
Press ENTER to save the key in the default location.
Generating public/private ed25519 key pair. Enter file in which to save the key (/Users/example/.ssh/id_ed25519):
You may enter a passphrase for your key. We recommend using a passphrase, but you can press ENTER to bypass this prompt. If you use a passphrase, you will enter it each time you use the key unless you also use ssh-agent.
Enter passphrase (empty for no passphrase): Enter same passphrase again:
Your key is generated and saved.
Your identification has been saved in /Users/example/.ssh/id_ed25519. Your public key has been saved in /Users/example/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:qx6prR4Zo+VU7Fl8yivXzzzzzzzzJ/9NRnPbrC20w7g firstname.lastname@example.org The key's randomart image is: +--[ED25519 256]--+ | | | o . | | o B o + . | | B + + o + | | = = S o o o | | = + = O + + | | . + B B = * . | | = O + o | | .+o=.. E . | +----[SHA256]-----+
Make a backup of the private key. The key cannot be recovered if lost.
authorized_keysfile. You can also add the public key to your Vultr account.
The OpenSSH client is an installable component for Windows 10 1809.
Once you've installed OpenSSH, follow the instructions above to create your SSH key.
PuTTYgen is part of the PuTTY suite of utilities. It is available for all versions of Windows.
EdDSAfor the key type.
Ed25519 (255 bits).
If you have access to the private key, you can recover the public key with OpenSSH.
Pass ssh-keygen the
-y option and the path to the private key with the
-f option. When ssh-keygen regenerates the public SSH key, you can redirect the output to a file of your choice.
For example, to regenerate the public key for
~/example_key and send the output to
$ ssh-keygen -y -f ~/example_key > ~/example_key.pub
If a password is set for the key, you will be prompted to enter it.
You can change the passphrase on a private key with the
-p option and pass the key name with the
$ ssh-keygen -p -f ~/example_key
Enter your old and new passphrase (twice) at the prompts.
Print the key's SHA256 fingerprint with the
-l option, and pass the key name with the
$ ssh-keygen -l -f example_key
The output is something like this:
3072 SHA256:pqdEtfbmIRwqTk9PpApa7DMvAxqCA577vJ/FcgyUM0Q root@localhost (RSA).
OpenSSH includes a utility to transfer a key to your server. When using this utility, you must authenticate to your server using SSH.
Specify the public key to be transferred with the
-i option. Replace the example with your username and the server's IP address.
$ ssh-copy-id -i ~/.ssh/example_key.pub email@example.com
You will be prompted to authenticate with your server and transfer the key to the remote server's
OpenSSH 6.5 introduced ED25519 keys in 2014, and they are available on most operating systems. It's believed that ED25519 keys are more secure than RSA, with better performance. If you use an RSA key, the US National Institute of Science and Technology recommends a key size of at least 2048 bits.
For more information about managing SSH keys, see our other guides: