When setting up a remote Linux server, you’ll need to decide upon a method for securely connecting to it. While passwords are one way of verifying a user’s identity, passwords have multiple vulnerabilities and can be cracked by a brute force attack. Secure Shell keys — better known as SSH keys — are often used instead of passwords, as they offer a more secure method of connecting to remote Linux servers. As part of the Secure Shell cryptographic network protocol, SSH keys also enable users to securely perform network services over an unsecured network, such as delivering text-based commands to a remote server or configuring its services.
This tutorial will guide you through the steps of creating SSH keys with OpenSSH, a suite of open source SSH tools, on macOS and Linux, as well as on Windows through the use of the Windows Subsystem for Linux. It is written for an audience that is just getting started with the command line and will provide guidance on accessing the terminal on a personal computer. After completing this tutorial, you will have SSH keys that can be used to securely set up a server in the tutorial How To Set Up an Ubuntu 20.04 Server on a DigitalOcean Droplet that is part of the Introduction to the Cloud Curriculum.
If you are already familiar with the command line and looking for instructions on using SSH to connect to a remote server, please see our collection of tutorials on Setting Up SSH Keys for a range of Linux operating systems.
To complete this tutorial, you will need:
Note: If you are looking for instructions on how to create SSH keys on a Windows machine that does not have the Windows Subsystem for Linux, please visit our product documentation How to Create SSH Keys with PuTTY on Windows.
SSH keys are two long strings of characters that can be used to authenticate the identity of a user requesting access to a remote server. These keys are generated by the user on their local computer using a SSH utility. One key is private and stored on the user’s local machine. The other key is public and shared with the remote server or any other entity the user wishes to securely communicate with.
When a user requests to connect to a server with SSH, the server sends a message encrypted with the public key that can only be decrypted by the associated private key. The user’s local machine then uses its private key to attempt to decrypt the message. If the message is successfully decrypted, the server grants the user access without the need of a password. Once authenticated, users can launch a remote shell session in their local terminal to deliver text-based commands to the remote server.
In the next step, you will open a terminal on your computer so that you can access the SSH utility used to generate a pair of SSH keys.
A terminal allows you to interact with your computer through text-based commands rather than a graphical user interface. The way you access the terminal on your computer will depend on what type of operating system you are using.
On machines running macOS, the
Terminal application is typically located in the
Utilities folder inside the
Applications folder. You can also find it by searching for “terminal” in the Search Spotlight.
If you are working on a Linux computer, your distribution’s default terminal application is also typically located in the
Utilities folder inside the
Applications folder. You can also find it by searching for “terminal” with the Desktop search functionality.
If you are working on a Windows machine running Windows Subsystem for Linux, a Linux terminal should open immediately after installation. You can also find it by searching for “Ubuntu” with the Desktop search functionality.
Once you have located your system’s terminal application, open up a new terminal window. Your terminal should display your user name, a dollar sign (
$), and a cursor. This is where you will begin to type commands to tell the terminal what to do.
In the next step, you will enter a text-based command to generate a pair of SSH keys.
Your macOS or Linux operating system should have the standard OpenSSH suite of tools already installed. This suite of tools includes the utility
ssh-keygen, which you will use to generate a pair of SSH keys.
Type the following command into your terminal:
You will then be prompted to select a location for the keys. By default, the keys are stored in the
~/.ssh directory with the filenames
id_rsa for the private key and
id_rsa.pub for the public key. Using the default locations allows your SSH client to automatically find your SSH keys when authenticating, so we recommend accepting these default options. To do so, press
OutputGenerating public/private rsa key pair. Enter file in which to save the key (/home/sammy/.ssh/id_rsa):
<$>[warning] Warning: If you have previously generated a key pair, you will be prompted to confirm that you actually want to overwrite the existing key:
Output/home/sammy/.ssh/id_rsa already exists. Overwrite (y/n)?
If you choose to overwrite the key on disk, you will not be able to authenticate using the previous key anymore. Selecting “yes” is an irreversible destructive process.
If you’re certain that you want to overwrite the existing key on disk, you can do so by pressing
Y and then
If you choose the default location, your public key will be located in
/home/sammy/.ssh/id_rsa.pub and your private key will be located in
/home/sammy/.ssh/id_rsa. Note that in your filepath,
sammy will be replaced with your username.
After selecting a location for the key, you’ll be prompted to enter an optional passphrase which encrypts the private key file on disk.
If you enter a passphrase, you will have to provide it every time you use this key (unless you are running SSH agent software that stores the decrypted key). We recommend using a passphrase, but you can just press
ENTER to bypass this prompt:
OutputCreated directory '/home/sammy/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again:
Following that final prompt, your system will generate the SSH key pair:
OutputYour identification has been saved in /home/sammy/.ssh/id_rsa. Your public key has been saved in /home/sammy/.ssh/id_rsa.pub. The key fingerprint is: a9:49:EX:AM:PL:E3:3e:a9:de:4e:77:11:58:b6:90:26 email@example.com The key's randomart image is: +--[ RSA 2048]----+ | ..o | | E o= . | | o. o | | .. | | ..S | | o o. | | =o.+. | |. =++.. | |o=++. | +-----------------+
You now have a public and private key that you can use to authenticate.
Congratulations, you have now generated a pair of SSH keys. These keys can be used to securely connect with a remote server and are necessary for the tutorial How To Set Up an Ubuntu 20.04 Server on a DigitalOcean Droplet that follows this tutorial in the Introduction to the Cloud Curriculum.
For a deeper dive on working using SSH, please visit our guide SSH Essentials: Working With SSH Servers, Clients, and Keys.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.