Multi-platformsecurityTested on real hardware

Generate an SSH key pair (Linux / macOS / Windows)

Create an Ed25519 SSH key pair and copy the public key to a remote server. Works identically on Linux, macOS, and Windows 10+ with the built-in OpenSSH client.

Shellbash
Updated
Script
bash
# Works on Linux, macOS, and Windows PowerShell (OpenSSH built-in since Windows 10 1809)

# Generate an Ed25519 key pair (recommended — compact, fast, and secure)
# Replace the email with your own — it's just a label on the public key
ssh-keygen -t ed25519 -C "you@example.com"

# Accept the default file location (~/.ssh/id_ed25519) by pressing Enter
# Enter a strong passphrase when prompted (highly recommended)

# Display your public key — this is what you share/copy to servers
cat ~/.ssh/id_ed25519.pub

# Copy the public key to a remote server (Linux / macOS)
ssh-copy-id -i ~/.ssh/id_ed25519.pub youruser@server-ip

What this does

Generates an Ed25519 SSH key pair:

  • Private key (~/.ssh/id_ed25519) — stays on your machine, never shared
  • Public key (~/.ssh/id_ed25519.pub) — copied to servers you want to access

Once the public key is on a server, you can authenticate without a password. Ed25519 is the recommended algorithm — it is faster than RSA, produces shorter keys, and is considered more secure.

Prerequisites

  • Linux, macOS, or Windows 10 1809+ (OpenSSH client is built-in on all three)
  • For Windows: verify with ssh -V in PowerShell — you should see OpenSSH_...

Key file locations

OS Private key Public key
Linux / macOS ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub
Windows C:\Users\You\.ssh\id_ed25519 C:\Users\You\.ssh\id_ed25519.pub

If you already have a key at the default path, press Enter at the filename prompt to keep the existing key, or specify a different name (e.g. ~/.ssh/id_homelab).

Copy the public key to a server

Linux / macOS:

ssh-copy-id -i ~/.ssh/id_ed25519.pub youruser@server-ip

Windows (PowerShell — ssh-copy-id is not built in):

$pubkey = Get-Content "$env:USERPROFILE\.ssh\id_ed25519.pub"
ssh youruser@server-ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && echo '$pubkey' >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Use a passphrase — and the SSH agent

A passphrase encrypts the private key on disk. Use the SSH agent so you only unlock it once per session:

Linux / macOS:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

Add to ~/.zshrc or ~/.bashrc to auto-start the agent at login.

Windows (PowerShell, run as Administrator — once):

Set-Service -Name ssh-agent -StartupType Automatic
Start-Service ssh-agent
ssh-add "$env:USERPROFILE\.ssh\id_ed25519"

Multiple keys for different servers

Specify which key to use per host in ~/.ssh/config:

Host proxmox-01
    HostName 192.168.1.10
    User root
    IdentityFile ~/.ssh/id_homelab

Host github.com
    IdentityFile ~/.ssh/id_github

RSA fallback (legacy systems only)

Some older servers or appliances don’t support Ed25519. Use RSA 4096-bit as a fallback:

ssh-keygen -t rsa -b 4096 -C "you@example.com"

Notes

  • The public key is safe to share — it is mathematically useless without the matching private key
  • Never copy or share id_ed25519 (no .pub extension) — that is the private key
  • Back up ~/.ssh/ somewhere secure; losing the private key means regenerating and re-copying the public key to every server
  • Pair with the SSH hardening playbook to disable password auth once key login is confirmed