An SSH key allows you to log into your server without a password. This guide describes creating SSH keys using a Linux, Mac, or Windows workstation in OpenSSH format, suitable for use with Vultr server instances.
OpenSSH is standard and should be present on macOS and most Linux distributions. We also have installation instructions for Windows 10 users. Follow these steps to create an SSH key with the OpenSSH utilities.
Generate your key with ssh-keygen, substituting your email address.
$ ssh-keygen -t ed25519 -C "your_email@example.com"
Note: If you use a legacy system that doesn't support the Ed25519 algorithm, use:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
By default, the keys are stored in the ~/.ssh directory. Most SSH clients automatically use these default filenames:
Algorithm: ED25519 (preferred)
Public key: id_ed25519.pub
Private key: id_ed25519
Algorithm: RSA (at least 2048-bit key size)
Public key: id_rsa.pub
Private key: id_rsa
Algorithm: DSA (deprecated)
Public key: id_dsa.pub
Private key: id_dsa
Algorithm: ECDSA
Public key: id_ecdsa.pub
Private key: id_ecdsa
Press ENTER to save the key in the default location.
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/example/.ssh/id_ed25519):
You may enter a passphrase for your key. We recommend using a passphrase, but you can press ENTER to bypass this prompt. If you use a passphrase, you will enter it each time you use the key unless you also use ssh-agent.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your key is generated and saved.
Your identification has been saved in /Users/example/.ssh/id_ed25519.
Your public key has been saved in /Users/example/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:qx6prR4Zo+VU7Fl8yivXzzzzzzzzJ/9NRnPbrC20w7g example@example.com
The key's randomart image is:
+--[ED25519 256]--+
| |
| o . |
| o B o + . |
| B + + o + |
| = = S o o o |
| = + = O + + |
| . + B B = * . |
| = O + o |
| .+o=.. E . |
+----[SHA256]-----+
Make a backup of the private key. The key cannot be recovered if lost.
Before connecting to an existing server with your SSH key, you'll need to add the public key to the authorized_keys file. You can also add the public key to your Vultr account.
The OpenSSH client is an installable component for Windows 10 1809.
Launch Settings then go to Apps > Apps and Features > Manage Optional Features.
Scan this list to see if OpenSSH Client is already installed. If not, then click Add a feature.
Locate OpenSSH Client, then click Install.
Optionally, you can also install OpenSSH Client with PowerShell.
Once you've installed OpenSSH, follow the instructions above to create your SSH key.
PuTTYgen is part of the PuTTY suite of utilities. It is available for all versions of Windows.
Download the latest version of the PuTTY utilities. We recommend the MSI Windows Installer package.
Install the package and run PuTTYgen.
At the bottom of the program window, select EdDSA for the key type.
In the lower-right corner, set "Curve to use for generating this key" to Ed25519 (255 bits).
Click the Generate button. Then, move the mouse in the blank area to generate some random data.
Enter a Key comment to make the key easier to identify later.
The private key must be kept secure from unauthorized use. We recommend entering a Key passphrase to protect the SSH key.
Click Save private key and store it securely. It is not possible to recover this file if it is lost. This file is your public/private key pair in PuTTY format. You can re-import this file with PuTTYgen in the future to export or convert the format of your public key.
Click Conversions > Export OpenSSH key. Save this file and store it securely. This file is your private SSH key in OpenSSH format. You may need this file if you use an SSH client other than PuTTY.
Select the text in the Public key for pasting into OpenSSH authorized_keys file box and save it to a file. This is your public key in OpenSSH format. If you want to add this key to your Vultr account, you'll also copy and paste this into the Customer Portal.
If you have access to the private key, you can recover the public key with OpenSSH.
Pass ssh-keygen the -y option and the path to the private key with the -f option. When ssh-keygen regenerates the public SSH key, you can redirect the output to a file of your choice.
For example, to regenerate the public key for ~/example_key and send the output to ~/example_key.pub:
$ ssh-keygen -y -f ~/example_key > ~/example_key.pub
If a password is set for the key, you will be prompted to enter it.
You can change the passphrase on a private key with the -p option and pass the key name with the -f option.
$ ssh-keygen -p -f ~/example_key
Enter your old and new passphrase (twice) at the prompts.
Print the key's SHA256 fingerprint with the -l option, and pass the key name with the -f option.
$ ssh-keygen -l -f example_key
The output is something like this:
3072 SHA256:pqdEtfbmIRwqTk9PpApa7DMvAxqCA577vJ/FcgyUM0Q root@localhost (RSA).
OpenSSH includes a utility to transfer a key to your server. When using this utility, you must authenticate to your server using SSH.
Specify the public key to be transferred with the -i option. Replace the example with your username and the server's IP address.
$ ssh-copy-id -i ~/.ssh/example_key.pub example_user@192.0.2.123
You will be prompted to authenticate with your server and transfer the key to the remote server's authorized_keys file.
OpenSSH 6.5 introduced ED25519 keys in 2014, and they are available on most operating systems. It's believed that ED25519 keys are more secure than RSA, with better performance. If you use an RSA key, the US National Institute of Science and Technology recommends a key size of at least 2048 bits.
For more information about managing SSH keys, see our other guides: