Skip to main content
Home/Tools/Security/SSH Key Generator - Ed25519, RSA, ECDSA

SSH Key Generator - Ed25519, RSA, ECDSA

Generate Ed25519, ECDSA (P-256/384/521) and RSA (2048/3072/4096) SSH keys in your browser. Optional passphrase encryption; export OpenSSH, PEM and PuTTY .ppk. 100% client-side — keys never leave your device.

100% Private - Runs Entirely in Your Browser
No data is sent to any server. All processing happens locally on your device.

Generate an SSH Key Pair in Your Browser

This SSH key generator creates a public/private key pair entirely in your browser using the Web Crypto API (and an in-browser library for RSA). Your private key is generated locally, never transmitted to a server, never logged, and never stored. When you close or refresh the page, the key is gone — there is nothing for an attacker to intercept.

Key Types: Ed25519, ECDSA, and RSA

Ed25519 (recommended)

Ed25519 is the modern default for SSH. It produces a small, fast key with 128-bit security based on the Curve25519 elliptic curve, and it is resistant to many implementation pitfalls that affect RSA and ECDSA. Use Ed25519 for all new servers, Git hosting (GitHub, GitLab, Bitbucket), and CI/CD systems unless you have a specific compatibility requirement.

ECDSA (P-256, P-384, P-521)

ECDSA keys offer strong security with compact key sizes and are widely supported. P-256 is suitable for most uses; P-384 and P-521 are chosen in government and enterprise environments that mandate higher curve strengths. ECDSA depends on a high-quality random number generator, which this tool provides via the browser’s cryptographic CSPRNG.

RSA (2048, 3072, 4096)

RSA remains the most universally compatible SSH key type and is the safest choice for legacy systems. 2048 bits is the minimum acceptable size today; 3072 bits balances security and performance; 4096 bits is used for high-security or long-lived keys. RSA keys are larger and slower than Ed25519 but work everywhere.

Export Formats

  • OpenSSH — the native -----BEGIN OPENSSH PRIVATE KEY----- format used by ~/.ssh/id_ed25519 and friends, plus the matching public key line.
  • PEM (PKCS#8) — the standard -----BEGIN PRIVATE KEY----- / -----BEGIN ENCRYPTED PRIVATE KEY----- container, readable by OpenSSL, OpenSSH 7.8+, and most libraries.
  • PuTTY .ppk — the PuTTY private key (v3) format for Windows users running PuTTY, Pageant, or WinSCP.
  • Public key / authorized_keys line — the single-line public key you paste into ~/.ssh/authorized_keys on a server to grant access.

Passphrase Encryption

Adding a passphrase encrypts your private key with AES-256 so it cannot be used by anyone who obtains the file without also knowing the passphrase. This is strongly recommended for keys stored on laptops or shared machines. The passphrase is applied locally in your browser — it is never sent anywhere.

Fingerprints and Randomart

Every generated key includes its SHA-256 fingerprint (the modern default shown by OpenSSH), a legacy MD5 fingerprint, and the ASCII “randomart” visualization. Fingerprints let you verify you are connecting to the right key, and randomart provides a quick visual sanity check that is hard to spoof at a glance.

How to Use Your New Key

  1. Generate and download the private key (e.g. id_ed25519) and public key (id_ed25519.pub).
  2. Save the private key to ~/.ssh/ and run chmod 600 ~/.ssh/id_ed25519.
  3. Append the public key line to ~/.ssh/authorized_keys on the server, or paste it into your Git host’s SSH keys page.
  4. Connect with ssh -i ~/.ssh/id_ed25519 user@host.

Generate an SSH Key Pair in Your Browser

This SSH key generator creates a public/private key pair entirely in your browser using the Web Crypto API (and an in-browser library for RSA). Your private key is generated locally, never transmitted to a server, never logged, and never stored. When you close or refresh the page, the key is gone — there is nothing for an attacker to intercept.

Key Types: Ed25519, ECDSA, and RSA

Ed25519 (recommended)

Ed25519 is the modern default for SSH. It produces a small, fast key with 128-bit security based on the Curve25519 elliptic curve, and it is resistant to many implementation pitfalls that affect RSA and ECDSA. Use Ed25519 for all new servers, Git hosting (GitHub, GitLab, Bitbucket), and CI/CD systems unless you have a specific compatibility requirement.

ECDSA (P-256, P-384, P-521)

ECDSA keys offer strong security with compact key sizes and are widely supported. P-256 is suitable for most uses; P-384 and P-521 are chosen in government and enterprise environments that mandate higher curve strengths. ECDSA depends on a high-quality random number generator, which this tool provides via the browser’s cryptographic CSPRNG.

RSA (2048, 3072, 4096)

RSA remains the most universally compatible SSH key type and is the safest choice for legacy systems. 2048 bits is the minimum acceptable size today; 3072 bits balances security and performance; 4096 bits is used for high-security or long-lived keys. RSA keys are larger and slower than Ed25519 but work everywhere.

Export Formats

  • OpenSSH — the native -----BEGIN OPENSSH PRIVATE KEY----- format used by ~/.ssh/id_ed25519 and friends, plus the matching public key line.
  • PEM (PKCS#8) — the standard -----BEGIN PRIVATE KEY----- / -----BEGIN ENCRYPTED PRIVATE KEY----- container, readable by OpenSSL, OpenSSH 7.8+, and most libraries.
  • PuTTY .ppk — the PuTTY private key (v3) format for Windows users running PuTTY, Pageant, or WinSCP.
  • Public key / authorized_keys line — the single-line public key you paste into ~/.ssh/authorized_keys on a server to grant access.

Passphrase Encryption

Adding a passphrase encrypts your private key with AES-256 so it cannot be used by anyone who obtains the file without also knowing the passphrase. This is strongly recommended for keys stored on laptops or shared machines. The passphrase is applied locally in your browser — it is never sent anywhere.

Fingerprints and Randomart

Every generated key includes its SHA-256 fingerprint (the modern default shown by OpenSSH), a legacy MD5 fingerprint, and the ASCII “randomart” visualization. Fingerprints let you verify you are connecting to the right key, and randomart provides a quick visual sanity check that is hard to spoof at a glance.

How to Use Your New Key

  1. Generate and download the private key (e.g. id_ed25519) and public key (id_ed25519.pub).
  2. Save the private key to ~/.ssh/ and run chmod 600 ~/.ssh/id_ed25519.
  3. Append the public key line to ~/.ssh/authorized_keys on the server, or paste it into your Git host’s SSH keys page.
  4. Connect with ssh -i ~/.ssh/id_ed25519 user@host.
Loading interactive tool...

SSH Keys Scattered Everywhere?

Our vCISO team implements centralized key management, rotation policies, and access controls.

Learn About vCISO ServicesExplore Cloud Infrastructure & Optimization

What Is SSH Key Generation

SSH key generation creates a cryptographic key pair used for secure authentication to remote servers, Git repositories, and other SSH-enabled services. Unlike password-based authentication—which is vulnerable to brute-force attacks, credential stuffing, and phishing—SSH key authentication uses asymmetric cryptography to prove identity without transmitting secrets over the network.

An SSH key pair consists of a private key (kept secret on your local machine) and a public key (placed on remote servers you want to access). When you connect, the server challenges you to prove you hold the private key without ever revealing it. This challenge-response mechanism is both more secure and more convenient than passwords, making SSH keys the standard for server administration, CI/CD pipelines, and developer workflows.

How SSH Key Authentication Works

The SSH key authentication process follows a challenge-response protocol:

  1. Client initiates connection — Your SSH client connects to the server and presents your public key fingerprint
  2. Server checks authorized_keys — The server looks for your public key in ~/.ssh/authorized_keys
  3. Server sends challenge — If found, the server encrypts a random challenge with your public key
  4. Client proves identity — Your client decrypts the challenge with your private key and sends back a hash
  5. Server verifies — The server confirms the response matches, granting access

Key algorithm comparison:

AlgorithmKey SizeSecurity LevelSpeedRecommendation
Ed25519256-bitVery highFastestRecommended for most use cases
ECDSA256/384/521-bitHighFastGood alternative; P-256 most common
RSA2048-4096-bitHigh (at 4096)SlowerUse 4096-bit if Ed25519 unsupported
DSA1024-bitDeprecatedN/ANever use; removed in OpenSSH 7.0

Common Use Cases

  • Server administration: Authenticate to Linux/Unix servers without passwords
  • Git operations: Push and pull from GitHub, GitLab, and Bitbucket repositories
  • CI/CD pipelines: Allow automated systems to deploy code to production servers securely
  • SFTP/SCP transfers: Secure file transfers using key-based authentication
  • Jump host access: Chain SSH connections through bastion hosts for accessing internal networks

Best Practices

  1. Use Ed25519 keysssh-keygen -t ed25519 produces the most secure and efficient keys available
  2. Always set a passphrase — The passphrase encrypts your private key at rest; use ssh-agent to avoid retyping it
  3. Use one key per device — Don't copy private keys between machines; generate a unique key on each device
  4. Disable password authentication — Once SSH keys are configured, disable PasswordAuthentication in sshd_config
  5. Rotate keys periodically — Replace keys annually and immediately revoke keys from decommissioned devices

Frequently Asked Questions

Common questions about the SSH Key Generator - Ed25519, RSA, ECDSA

Yes. The key pair is generated entirely in your browser using the Web Crypto API (and an in-browser library for RSA). The private key is never transmitted to a server, never logged, and never stored — it exists only in your browser tab until you download it or close the page. Because generation is 100% client-side, there is no network request that could leak your private key.

Ed25519 is the modern recommended default: small, fast, and highly secure. ECDSA (P-256/384/521) offers strong security with compact keys and is required in some enterprise and government environments. RSA (2048/3072/4096 bits) is the most universally compatible and is the best choice for older systems. For new keys, choose Ed25519 unless you need compatibility with legacy software.

Select Ed25519 as the key type (it is the default and recommended option), optionally enter a comment and passphrase, then click Generate SSH Key Pair. Download the private key (id_ed25519) and the public key (id_ed25519.pub). Ed25519 requires a modern browser — Chrome 113+, Safari 17+, or Firefox 117+ — because it relies on native Web Crypto support for the Curve25519 algorithm.

You can export the private key in OpenSSH format (the native id_ed25519/id_rsa format), PEM / PKCS#8 (the standard BEGIN PRIVATE KEY container readable by OpenSSL and OpenSSH 7.8+), or PuTTY .ppk for Windows users of PuTTY, Pageant, and WinSCP. The public key is provided as the single-line authorized_keys entry you paste onto a server.

Yes, for any key stored on a laptop or shared computer. A passphrase encrypts the private key with AES-256, so even if someone copies the key file they cannot use it without the passphrase. The passphrase is applied locally in your browser and never sent anywhere. You will be prompted for it (once per session, if you use an SSH agent) when you connect.

Append the public key line to the ~/.ssh/authorized_keys file in the target user's home directory on the server (create the file if it does not exist, and set permissions with chmod 600 ~/.ssh/authorized_keys). For Git hosting like GitHub or GitLab, paste the same public key line into the SSH keys section of your account settings. The public key is safe to share; only the private key must be kept secret.

The SHA-256 fingerprint is a short, unique identifier for your key that OpenSSH displays when you first connect to a host or add a key. It lets you verify that a key is the one you expect. Randomart is an ASCII-art rendering of the fingerprint that makes visual comparison quick and tamper-evident. Both are derived locally from your generated public key.

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.