How to generate SSH keys with ssh-keygen

1. Why you want SSH keys
2. Generating a key with ssh-keygen
3. Passphrase or no passphrase
4. Where the keys live
5. Copying the public key to a server
6. Adding the key to ssh-agent
7. Adding the key to GitHub

#Why you want SSH keys

Typing a password every time you connect to a server gets old fast, and passwords are the weaker link anyway. SSH keys give you a passwordless, far more secure login: you keep a private key on your machine, hand the matching public key to the server, and SSH proves you own the pair without ever sending a secret over the wire. Once they're set up, connecting to a server and pushing to Git just work.

#Generating a key with ssh-keygen

ssh-keygen ships with every Linux distro and macOS. The modern, recommended command is:

ssh-keygen -t ed25519 -C "you@example.com"

• -t ed25519 picks the Ed25519 algorithm. It's fast, secure, and produces short keys. Use this unless something old refuses to accept it.
• -C "you@example.com" adds a comment, usually your email, so you can recognize the key later in a list of authorized keys.

If you're stuck talking to ancient hardware or legacy software that doesn't speak Ed25519, fall back to RSA with a large key size:

ssh-keygen -t rsa -b 4096 -C "you@example.com"

#Passphrase or no passphrase

ssh-keygen asks for a passphrase. My advice: set one. It encrypts the private key on disk, so a stolen laptop doesn't hand over your servers. The minor inconvenience of typing it is solved by ssh-agent (below), which remembers it for your session. Press Enter twice for no passphrase only on throwaway or fully automated keys.

#Where the keys live

By default the keys land in ~/.ssh/:

• ~/.ssh/id_ed25519 is your private key. Never share it, never commit it, never copy it off the machine.
• ~/.ssh/id_ed25519.pub is your public key. This is the safe one you give to servers and GitHub.

You can view the public key any time:

cat ~/.ssh/id_ed25519.pub

#Copying the public key to a server

The cleanest way to authorize your key on a server is ssh-copy-id. It appends your public key to the server's ~/.ssh/authorized_keys for you:

ssh-copy-id user@host

It'll ask for your password one last time. After that, ssh user@host logs you in with the key. If ssh-copy-id isn't available (it's missing on some macOS setups), you can do it manually:

cat ~/.ssh/id_ed25519.pub | ssh user@host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

If the server still asks for a password or rejects the key, the SSH permission denied (publickey) guide walks through the usual causes.

#Adding the key to ssh-agent

ssh-agent holds your decrypted key in memory so you only type the passphrase once per session. Start it and add your key:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

On macOS, store the passphrase in the Keychain so it persists across reboots:

ssh-add --apple-use-keychain ~/.ssh/id_ed25519

#Adding the key to GitHub

To push and pull over SSH, GitHub needs your public key. Copy it to your clipboard:

# macOS
pbcopy < ~/.ssh/id_ed25519.pub

# Linux (X11)
xclip -sel clip < ~/.ssh/id_ed25519.pub

Then go to GitHub, open Settings, SSH and GPG keys, New SSH key, paste it, and save. Verify it works:

ssh -T git@github.com

You should see a greeting with your username. If you instead hit Permission denied (publickey), the GitHub publickey error guide covers the fixes. Once this is green, your key handles servers and Git for good.