Peerobyte / Documentation / Remote Access and Setup / Connecting via OpenSSH / Creating Key Pair / Linux & PowerShell: Creating Key Pair

Linux & PowerShell: Creating Key Pair

Published

In this section, we will explore the process of creating key pairs using the ssh-keygen tool in Windows through PowerShell. The procedure for creating key pairs in Linux via the terminal will be similar.

Recommendations for Creating Key Pairs

When creating a key pair, it's recommended to protect it with a passphrase. This adds an extra layer of security since each use of the key will require the passphrase. If the private key falls into the wrong hands, having a passphrase significantly complicates its unauthorized use. When choosing a passphrase, follow the same principles as when creating standard passwords: ensure sufficient length and complexity.

Prerequisites

1. An OpenSSH client must be installed on your device. The installation process for OpenSSH Client is described in the section "Installing OpenSSH Client".

2. For Linux-based systems, access to a terminal is required, and for Windows-based systems, PowerShell must be available. Instructions for installing PowerShell can be found in the guide "Installing PowerShell on Windows".

Process for Creating Key Pairs

1. Open the terminal on Linux or PowerShell on Windows.

2. Enter the command:

		

			
		

		ssh-keygen


After initiating the command, you will be prompted to enter the path for the key pair:

		

			
		

		PS C:\WINDOWS\system32> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\username/.ssh/id_rsa):


3. Specify the path and name for the key pair or press Enter to save the key pair with the default name in the default directory.

If the key pair already exists at the specified path, the following message and request will appear:

		

			
		

		C:\Users\username/.ssh/id_rsa already exists.
Overwrite (y/n)?

Choose an option by pressing the corresponding key on the keyboard:

  • y - The existing key pair will be overwritten.
    This process is irreversible, and you will no longer be able to authenticate using the lost private key if it was necessary.

  • n - The key pair generation will be canceled.
    In this case, you will need to run the ssh-keygen command again, specifying a different path or name for the key pair to avoid overwriting the existing one.

You will then be prompted to enter a passphrase:

		

			
		

		Enter passphrase (empty for no passphrase):


4. Enter a passphrase for the key pair or leave it blank if you do not want to use a passphrase, then press Enter.
If you entered a passphrase, you will be prompted to confirm the passphrase:

		

			
		

		Enter same passphrase again:

Re-enter the passphrase and press Enter.

If the passphrases do not match, you will be prompted to enter them again:

		

			
		

		Passphrases do not match.  Try again.
Enter passphrase (empty for no passphrase):

Once all data is entered correctly, key pair generation will begin.


5. Upon successful generation of the key pair, you will see:

		

			
		

		Your identification has been saved in C:\Users\username/.ssh/id_rsa.
Your public key has been saved in C:\Users\username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:PU+mat9z2eAl2GarVUy/t0jGs9Hn1AsXtdYbOZP3/sA fas\username@compname
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|                 |
|                o|
|         .    o.B|
|        Soo oo X*|
|           *o.O.%|
|         . ..@E%*|
|        .. .+.%=*|
|       .... o* o=|
+----[SHA256]-----+
PS C:\WINDOWS\system32>

The specified path will contain two files named as you specified:

  • A file with the extension *.pub (default id_rsa.pub) - the public key, which you need to send to the virtual machine or server you want to manage.

  • A file without an extension (default id_rsa) - the private key, the confidentiality of which you need to maintain.

After generating the key pair, you can copy the public key to the server as described in the section "Copying Public Key".

Additional Information

The ssh-keygen command offers a wide range of configurable parameters and options. You can find detailed information about them in the "SSH-keygen Command Usage Guide".

-t: Specifies the type of key. By default, a key pair using the RSA encryption algorithm is generated. You can specify other encryption algorithms such as ecdsa, ecdsa-sk, ed25519, ed25519-sk, RSA.

For example:

		

			
		

		ssh-keygen -t ed25519

This starts the generation of a key pair using the Ed25519 encryption algorithm.


-b: Sets the key length in bits.
By default, a 3072-bit key pair is generated. For RSA, the recommended key size is 2048 or 4096 bits. This option is often used in conjunction with the -t option. 

For example:

		

			
		

		ssh-keygen -t rsa -b 4096

This starts the generation of a key pair using the RSA encryption algorithm with a length of 4096 bits.

-C: Adds a comment to the key. Comments can be useful for identifying the key if you have many.

For example:

		

			
		

		ssh-keygen -t rsa -C [email protected]

This starts the generation of a key pair using the RSA encryption algorithm with the comment:  “[email protected]”.

-f: Specifies the path and name of the key pair. 

During generation, you can specify the path and name yourself, but you can also specify them as arguments to the -f option. By default, keys are saved in the user's directory under ~/.ssh/ with the names id_rsa for the private key and id_rsa.pub for the public key. The directory where you want to save the key pair must exist, otherwise the key pair will not be generated.

For example:

		

			
		

		ssh-keygen -t rsa -f D:/test/mykey

This starts the generation of a key pair using the RSA encryption algorithm, the key pair will be named mykey and located in the directory D:/test/. 

-N: Sets a new passphrase for the key. 

If no passphrase is set, the key will be created without a passphrase. This parameter is often used in conjunction with -p, which allows specifying the old passphrase required to verify credentials for changing the passphrase. If the old passphrase is not specified, it will be prompted when running the command. 

For example:

		

			
		

		ssh-keygen -f ~/.ssh/existingkey -p old_passphrase -N new_passphrase

This changes the passphrase of the private key existingkey, located in the user’s directory, to a new passphrase: new_passphrase. The user will not be asked for the old passphrase during the process.

-y: Outputs the public key based on your private key. 

This can be useful if you have the private key, but the public key is lost or damaged.

For example:

		

			
		

		ssh-keygen -y -f c:\users\maxwel\.ssh\mykey

This generates the public key from the private key mykey, located in the user maxwell’s directory.