SSH Key Generator

Name: SSH Key Generator
Author: E-Utils

Generate SSH key pairs (RSA, Ed25519) in your browser. Export in OpenSSH or PEM format. Secure client-side key generation. Free online SSH keygen tool

An SSH key pair is two files: a private key that must never leave your machine, and a public key that you paste into GitHub, your servers, and your team's authorized_keys files. The interesting choices are not "generate a key" but which algorithm (Ed25519 vs RSA-4096), how to handle the passphrase, and how to store the private key safely. This generator runs entirely in your browser via the Web Crypto API, produces OpenSSH and PEM formats, and never transmits the private key anywhere.

Ed25519 or RSA — pick once, defaults for life

Ed25519 — recommended for all new keys since ~2017. Fixed 256-bit keys (no key-size tuning), small public key (~68 bytes), fast verification, immune to timing side channels by construction. Supported by OpenSSH 6.5+ (2014), GitHub since 2014, every major Git host.
RSA-4096 — still acceptable, slow to generate (a few seconds), large public keys (~750 bytes). Use only if you must support a legacy host with no Ed25519 support.
RSA-2048 — minimum for new keys, but already considered marginal for 10+ year horizons. NIST recommends migration to ≥3072 bits by 2030.
ECDSA-P256/P384/P521 — supported but not preferred. Same curves used in TLS; security depends on a good RNG at signing time. Ed25519 is deterministic and avoids that pitfall.
DSA — deprecated. Removed from OpenSSH 7.0 default builds (2015). Do not generate.

Default to Ed25519 unless you have explicit compatibility requirements. The public key is so small it fits comfortably in a single line in authorized_keys; key generation is fast enough to be interactive; the security margin is generous.

Working example

Input

Algorithm: Ed25519
Comment: alice@laptop

Output

Public key (paste into ~/.ssh/authorized_keys on the server, or GitHub Settings → SSH keys):

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7vK2... alice@laptop

Private key (save as ~/.ssh/id_ed25519, chmod 600):

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9u...
... (multiple lines) ...
-----END OPENSSH PRIVATE KEY-----

The "comment" field at the end is just a label — typically user@hostname so you can identify which key on a server is yours. After saving, run chmod 600 ~/.ssh/id_ed25519 and chmod 644 ~/.ssh/id_ed25519.pub. SSH will refuse to use a private key with permissions broader than 600.

Passphrases: when and how

Without passphrase — convenient. If your laptop is stolen or the file is exfiltrated, the attacker has immediate access to every host that trusts the key. Acceptable only on full-disk-encrypted machines that you trust to sleep-and-wake securely.
With passphrase — the private key file is encrypted at rest with a key derived from the passphrase. Stolen file is useless without the phrase. Use ssh-agent (or macOS Keychain, gnome-keyring) to cache the decrypted key for the session so you do not retype it every operation.
Hardware-backed (YubiKey, Touch ID, TPM) — the private key never leaves the secure element. ssh-keygen -t ed25519-sk creates a "security key" type that requires the hardware token to sign. Best for high-trust contexts.

When to reach for this tool

You are on a machine where you do not want to install openssh-client (Chromebook, locked-down corp laptop) and need a key pair for one-off access.
You are teaching SSH key concepts and want a visible end-to-end demo where the generated key can be saved and used.
You are pre-generating keys for a fleet of servers and need OpenSSH and PEM format outputs from the same key material.
You inherited a system with no working ssh-keygen and need a quick key for emergency access — generate, save, chmod 600.

What this tool will not do

It will not enroll your key with GitHub/GitLab/Bitbucket automatically. Copy the public key from the output and paste it into the host's SSH key settings page yourself.
It will not generate keys backed by hardware tokens. ed25519-sk requires the actual hardware enclave; only ssh-keygen on a machine with the token connected can create it.
It will not check key strength against compromised-key databases. The keys are freshly generated by Web Crypto getRandomValues — assume they are unique unless your browser's RNG is broken (it is not).

The private key is generated by your browser's Web Crypto API and rendered locally. It is not transmitted, logged, or stored by this page. Download it, then chmod 600 the file. If you suspect any web tool has logged a private key, regenerate — never paste an existing private key into a webpage.

Frequently asked questions

Should I rotate SSH keys periodically?

Yes, but driven by events rather than calendars. Rotate when: a device with the key is lost or sold, you change roles, you suspect the key was exposed, or a key has been on the same hardware for 5+ years. Calendar rotation without an event is theater — the cost is annoyance, the benefit is small.

Why does my Ed25519 key get rejected by the server?

Old OpenSSH (pre-6.5, so pre-2014). Almost no actively maintained system runs that old. Other possibilities: the server's sshd_config has PubkeyAcceptedKeyTypes restricted (some hardened configs only allow specific algorithms — add ssh-ed25519 to the list).

Can I use the same key for GitHub, GitLab, and my own servers?

Technically yes, the cryptography does not care. Operationally, separate keys per major trust boundary reduce blast radius if one key is compromised. A common scheme: one personal key for self-hosted dev VMs, one work key for company GitHub/GitLab, one ops key in a hardware token for production access.

What is the difference between PEM and OpenSSH key formats?

PEM (PKCS#1 / PKCS#8) is the historical format, used by many older tools, openssl, and Java keystores. OpenSSH format (header "BEGIN OPENSSH PRIVATE KEY") is OpenSSH-specific, supports passphrase-protected keys with modern KDFs, and is the default for ssh-keygen since 7.8 (2018). Always use OpenSSH format unless a specific tool requires PEM.

My private key has -----BEGIN RSA PRIVATE KEY----- — is that wrong?

No, that is PKCS#1 PEM for an RSA key, valid for OpenSSH. -----BEGIN PRIVATE KEY----- (without RSA) is PKCS#8, also valid. -----BEGIN OPENSSH PRIVATE KEY----- is the newer OpenSSH format. All three work with ssh-add and ssh; some legacy tools accept only one.

How do I check the fingerprint of a key I just generated?

ssh-keygen -lf path/to/key.pub prints the fingerprint (SHA256-based by default). Compare with the fingerprint shown when a server prompts you about a new host key. For sharing your own key fingerprint with a teammate (e.g., for verification), use the SHA256 form, not the older MD5 fingerprints.

Related tools

Password Generator

Generate strong random passwords with letters, numbers, symbols. Customizable length and complexity. Free secure password generator online

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-512 hashes from text or files. Verify file checksums. Free online hash calculator and checksum generator

TOTP Authenticator

Generate 2FA codes (Google Authenticator compatible). Add secrets manually or scan QR codes. Free online TOTP generator for testing two-factor authentication

Passphrase Generator

Generate secure passphrases using Diceware and EFF wordlists. Create memorable yet strong passwords. Free online passphrase maker

SSL Certificate Analyzer

Analyze X.509 SSL/TLS certificates. View issuer, validity, SANs, certificate chain. Check SSL certificate details. Free online certificate decoder

Chmod Calculator

Calculate Unix/Linux file permissions. Convert between symbolic (rwx) and numeric (755, 644) notation. Free chmod permission calculator online

Last updated 2026-05-12 · E-Utils editorial team