SSH Key Generator

Generate secure SSH key pairs instantly. Support for RSA, Ed25519, and ECDSA algorithms. Client-side generation ensures your keys never leave your browser.

Generated
Algorithm
ED25519

Key Configuration

Choose your SSH key algorithm and settings.

Relevant tools

Browse all →

Quick links to related security tools.

GUID Generator
Generate unique GUIDs
Hash Generator
MD5, SHA hashes instantly
Base64 Encode Decode
Base64 conversion tool
Password Generator
Create secure passwords
UUID Generator
Generate UUIDs instantly
JWT Decoder
Decode JWT tokens

Understanding SSH Key Algorithms

SSH keys are cryptographic key pairs used for secure authentication to remote servers. Unlike passwords, keys provide much stronger security and enable passwordless authentication. The public key is shared with servers, while the private key remains secure on your client machine.

Different algorithms offer different trade-offs between security, performance, and compatibility. RFC 4253 defines the SSH protocol, while modern implementations support multiple key formats for different use cases.

The security of SSH keys depends on both the algorithm strength and key size. Modern algorithms like Ed25519 provide excellent security with smaller key sizes and faster operations, while traditional RSA requires larger keys for equivalent security. Understanding these differences helps you choose the right key for your security needs.

RSA vs Ed25519 vs ECDSA: Security Comparison

Choosing the right SSH key algorithm is crucial for security and performance:

  • RSA (Rivest-Shamir-Adleman): The oldest and most widely supported algorithm. RSA 2048-bit provides baseline security, while 4096-bit offers high security but with slower performance. According to NIST recommendations, RSA 3072-bit provides security equivalent to 128-bit symmetric keys.
  • Ed25519 (Edwards-curve Digital Signature Algorithm): Modern elliptic curve algorithm offering 128-bit security with 256-bit keys. Provides faster signature generation and verification compared to RSA. Recommended by OpenSSH for new deployments due to excellent security and performance characteristics.
  • ECDSA (Elliptic Curve Digital Signature Algorithm): Uses elliptic curves for cryptographic operations. P-256 provides 128-bit security, P-384 provides 192-bit security, and P-521 provides 256-bit security. Good balance of security and performance, widely supported by modern systems.

SSH Key Formats: OpenSSH vs PEM

SSH keys can be represented in different formats, each serving specific purposes:

  • OpenSSH Format: The native format for SSH public keys, starting with algorithm identifier (ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256). Used in authorized_keys files on servers. Compact and contains only the essential key data with optional comment field for identification.
  • PEM Format: Privacy-Enhanced Mail format, standardized for X.509 certificates and private keys. Contains base64-encoded DER data with BEGIN/END headers. Used for storing private keys and by many cryptographic tools and libraries.
  • JSON Format: Structured format that includes both keys and metadata in a machine-readable format. Useful for programmatic processing and API integrations where structured data is preferred.

Best Practices for SSH Key Security

  • Use strong passphrases: Protect your private key with a strong passphrase. This adds an extra layer of security if the key file is compromised. Use a passphrase with at least 12 characters including uppercase, lowercase, numbers, and symbols.
  • Proper file permissions: Set private key files to 600 permissions (read/write for owner only) and public keys to 644 (read/write for owner, read for others). On Unix systems: `chmod 600 ~/.ssh/id_rsa` and `chmod 644 ~/.ssh/id_rsa.pub`.
  • Regular key rotation: Replace SSH keys periodically, especially if you suspect compromise or when team members leave. Many organizations implement quarterly or annual key rotation policies.
  • Use hardware security keys: For maximum security, consider using hardware security keys (YubiKey, SoloKeys) that store private keys securely and never expose them to the operating system.
  • Limit key usage: Use different keys for different environments (development, staging, production) and implement principle of least privilege by restricting what each key can access.

Client-Side Security and Privacy

Our SSH key generator prioritizes your security and privacy through several important measures:

  • Browser-based generation: All cryptographic operations happen entirely in your browser using the Web Crypto API. No keys or personal data are transmitted to any server, eliminating network-based attack vectors.
  • Cryptographically secure random: Uses the browser's built-in cryptographically secure random number generator (CSPRNG) which meets W3C Web Crypto standards for generating unpredictable key material.
  • No storage or tracking: Generated keys are not stored, cached, or tracked in any way. Once you close the browser tab, all keys are permanently gone unless you've saved them locally.
  • Open source transparency: The generation logic follows established cryptographic standards and best practices, making the process transparent and auditable.

Frequently Asked Questions

What's the difference between RSA, Ed25519, and ECDSA keys?

RSA is the traditional algorithm using large prime numbers, compatible with all systems but slower and requires larger keys. Ed25519 is modern, faster, and provides better security with smaller keys. ECDSA uses elliptic curves and is widely supported, offering good performance and security. Ed25519 is recommended for new deployments due to its speed and security properties.

Which key type should I use for SSH?

For new deployments, Ed25519 is recommended as it's modern, fast, and secure. For compatibility with older systems, RSA 4096-bit keys work well. ECDSA is a good middle ground, especially P-256 for balance of security and performance. Many modern systems support all three types.

Are these SSH keys secure?

Keys are generated entirely in your browser using the Web Crypto API, which provides cryptographically secure random number generation. No keys are transmitted to any server. The security depends on keeping your private key safe and protected with a passphrase when possible.

What's the difference between OpenSSH and PEM formats?

OpenSSH format is the native format for SSH public keys, starting with 'ssh-rsa', 'ssh-ed25519', etc. PEM format is the standard for X.509 certificates and private keys, with '-----BEGIN' headers. OpenSSH is typically used for authorized_keys files, while PEM is used for storing private keys.

How should I protect my SSH private key?

Always keep your private key secure: 1) Set file permissions to 600 (read/write for owner only), 2) Use a strong passphrase when generating the key, 3) Never share the private key, 4) Consider using hardware security keys for additional protection, 5) Regularly rotate keys if compromised.

Security and Methodology

This SSH key generator uses the Web Crypto API to create cryptographically secure key pairs entirely within your browser. The implementation follows RFC 4253 standards and uses industry-accepted algorithms. No keys, email addresses, or any personal data are transmitted to or stored on any server. For production environments, always verify keys through additional security measures and consider using hardware security modules for enhanced protection. The generated keys are suitable for most SSH implementations but should be tested with your specific systems before deployment.

Tool Vault — SSH Key Generator 2026. Secure, private, and client-side generation.