Generate an SSH key pair (Linux / macOS / Windows)
Create an Ed25519 SSH key pair and copy the public key to a remote server. Works identically on Linux, macOS, and Windows 10+ with the built-in OpenSSH client.
bash# Works on Linux, macOS, and Windows PowerShell (OpenSSH built-in since Windows 10 1809)
# Generate an Ed25519 key pair (recommended — compact, fast, and secure)
# Replace the email with your own — it's just a label on the public key
ssh-keygen -t ed25519 -C "you@example.com"
# Accept the default file location (~/.ssh/id_ed25519) by pressing Enter
# Enter a strong passphrase when prompted (highly recommended)
# Display your public key — this is what you share/copy to servers
cat ~/.ssh/id_ed25519.pub
# Copy the public key to a remote server (Linux / macOS)
ssh-copy-id -i ~/.ssh/id_ed25519.pub youruser@server-ip
What this does
Generates an Ed25519 SSH key pair:
- Private key (
~/.ssh/id_ed25519) — stays on your machine, never shared - Public key (
~/.ssh/id_ed25519.pub) — copied to servers you want to access
Once the public key is on a server, you can authenticate without a password. Ed25519 is the recommended algorithm — it is faster than RSA, produces shorter keys, and is considered more secure.
Prerequisites
- Linux, macOS, or Windows 10 1809+ (OpenSSH client is built-in on all three)
- For Windows: verify with
ssh -Vin PowerShell — you should seeOpenSSH_...
Key file locations
| OS | Private key | Public key |
|---|---|---|
| Linux / macOS | ~/.ssh/id_ed25519 |
~/.ssh/id_ed25519.pub |
| Windows | C:\Users\You\.ssh\id_ed25519 |
C:\Users\You\.ssh\id_ed25519.pub |
If you already have a key at the default path, press Enter at the filename prompt to keep the existing key, or specify a different name (e.g. ~/.ssh/id_homelab).
Copy the public key to a server
Linux / macOS:
ssh-copy-id -i ~/.ssh/id_ed25519.pub youruser@server-ip
Windows (PowerShell — ssh-copy-id is not built in):
$pubkey = Get-Content "$env:USERPROFILE\.ssh\id_ed25519.pub"
ssh youruser@server-ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && echo '$pubkey' >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Use a passphrase — and the SSH agent
A passphrase encrypts the private key on disk. Use the SSH agent so you only unlock it once per session:
Linux / macOS:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
Add to ~/.zshrc or ~/.bashrc to auto-start the agent at login.
Windows (PowerShell, run as Administrator — once):
Set-Service -Name ssh-agent -StartupType Automatic
Start-Service ssh-agent
ssh-add "$env:USERPROFILE\.ssh\id_ed25519"
Multiple keys for different servers
Specify which key to use per host in ~/.ssh/config:
Host proxmox-01
HostName 192.168.1.10
User root
IdentityFile ~/.ssh/id_homelab
Host github.com
IdentityFile ~/.ssh/id_github
RSA fallback (legacy systems only)
Some older servers or appliances don’t support Ed25519. Use RSA 4096-bit as a fallback:
ssh-keygen -t rsa -b 4096 -C "you@example.com"
Notes
- The public key is safe to share — it is mathematically useless without the matching private key
- Never copy or share
id_ed25519(no.pubextension) — that is the private key - Back up
~/.ssh/somewhere secure; losing the private key means regenerating and re-copying the public key to every server - Pair with the SSH hardening playbook to disable password auth once key login is confirmed