Free Ed25519, ECDSA and RSA SSH key generator. Passphrase encryption, OpenSSH / PEM / PuTTY .ppk export, SHA-256 fingerprint and randomart. 100% client-side — keys never leave your browser.
This SSH key generator creates a public/private key pair entirely in your browser using the Web Crypto API (and an in-browser library for RSA). Your private key is generated locally, never transmitted to a server, never logged, and never stored. When you close or refresh the page, the key is gone — there is nothing for an attacker to intercept.
Ed25519 is the modern default for SSH. It produces a small, fast key with 128-bit security based on the Curve25519 elliptic curve, and it is resistant to many implementation pitfalls that affect RSA and ECDSA. Use Ed25519 for all new servers, Git hosting (GitHub, GitLab, Bitbucket), and CI/CD systems unless you have a specific compatibility requirement.
ECDSA keys offer strong security with compact key sizes and are widely supported. P-256 is suitable for most uses; P-384 and P-521 are chosen in government and enterprise environments that mandate higher curve strengths. ECDSA depends on a high-quality random number generator, which this tool provides via the browser’s cryptographic CSPRNG.
RSA remains the most universally compatible SSH key type and is the safest choice for legacy systems. 2048 bits is the minimum acceptable size today; 3072 bits balances security and performance; 4096 bits is used for high-security or long-lived keys. RSA keys are larger and slower than Ed25519 but work everywhere.
-----BEGIN OPENSSH PRIVATE KEY----- format used by ~/.ssh/id_ed25519 and friends, plus the matching public key line.-----BEGIN PRIVATE KEY----- / -----BEGIN ENCRYPTED PRIVATE KEY----- container, readable by OpenSSL, OpenSSH 7.8+, and most libraries.~/.ssh/authorized_keys on a server to grant access.Adding a passphrase encrypts your private key with AES-256 so it cannot be used by anyone who obtains the file without also knowing the passphrase. This is strongly recommended for keys stored on laptops or shared machines. The passphrase is applied locally in your browser — it is never sent anywhere.
Every generated key includes its SHA-256 fingerprint (the modern default shown by OpenSSH), a legacy MD5 fingerprint, and the ASCII “randomart” visualization. Fingerprints let you verify you are connecting to the right key, and randomart provides a quick visual sanity check that is hard to spoof at a glance.
id_ed25519) and public key (id_ed25519.pub).~/.ssh/ and run chmod 600 ~/.ssh/id_ed25519.~/.ssh/authorized_keys on the server, or paste it into your Git host’s SSH keys page.ssh -i ~/.ssh/id_ed25519 user@host.SSH key generation creates a cryptographic key pair used for secure authentication to remote servers, Git repositories, and other SSH-enabled services. Unlike password-based authentication—which is vulnerable to brute-force attacks, credential stuffing, and phishing—SSH key authentication uses asymmetric cryptography to prove identity without transmitting secrets over the network.
An SSH key pair consists of a private key (kept secret on your local machine) and a public key (placed on remote servers you want to access). When you connect, the server challenges you to prove you hold the private key without ever revealing it. This challenge-response mechanism is both more secure and more convenient than passwords, making SSH keys the standard for server administration, CI/CD pipelines, and developer workflows.
The SSH key authentication process follows a challenge-response protocol:
~/.ssh/authorized_keysKey algorithm comparison:
| Algorithm | Key Size | Security Level | Speed | Recommendation |
|---|---|---|---|---|
| Ed25519 | 256-bit | Very high | Fastest | Recommended for most use cases |
| ECDSA | 256/384/521-bit | High | Fast | Good alternative; P-256 most common |
| RSA | 2048-4096-bit | High (at 4096) | Slower | Use 4096-bit if Ed25519 unsupported |
| DSA | 1024-bit | Deprecated | N/A | Never use; removed in OpenSSH 7.0 |
ssh-keygen -t ed25519 produces the most secure and efficient keys availablessh-agent to avoid retyping itPasswordAuthentication in sshd_configYes. The key pair is generated entirely in your browser using the Web Crypto API (and an in-browser library for RSA). The private key is never transmitted to a server, never logged, and never stored — it exists only in your browser tab until you download it or close the page. Because generation is 100% client-side, there is no network request that could leak your private key.
Ed25519 is the modern recommended default: small, fast, and highly secure. ECDSA (P-256/384/521) offers strong security with compact keys and is required in some enterprise and government environments. RSA (2048/3072/4096 bits) is the most universally compatible and is the best choice for older systems. For new keys, choose Ed25519 unless you need compatibility with legacy software.
Select Ed25519 as the key type (it is the default and recommended option), optionally enter a comment and passphrase, then click Generate SSH Key Pair. Download the private key (id_ed25519) and the public key (id_ed25519.pub). Ed25519 requires a modern browser — Chrome 113+, Safari 17+, or Firefox 117+ — because it relies on native Web Crypto support for the Curve25519 algorithm.
You can export the private key in OpenSSH format (the native id_ed25519/id_rsa format), PEM / PKCS#8 (the standard BEGIN PRIVATE KEY container readable by OpenSSL and OpenSSH 7.8+), or PuTTY .ppk for Windows users of PuTTY, Pageant, and WinSCP. The public key is provided as the single-line authorized_keys entry you paste onto a server.
Yes, for any key stored on a laptop or shared computer. A passphrase encrypts the private key with AES-256, so even if someone copies the key file they cannot use it without the passphrase. The passphrase is applied locally in your browser and never sent anywhere. You will be prompted for it (once per session, if you use an SSH agent) when you connect.
Append the public key line to the ~/.ssh/authorized_keys file in the target user's home directory on the server (create the file if it does not exist, and set permissions with chmod 600 ~/.ssh/authorized_keys). For Git hosting like GitHub or GitLab, paste the same public key line into the SSH keys section of your account settings. The public key is safe to share; only the private key must be kept secret.
The SHA-256 fingerprint is a short, unique identifier for your key that OpenSSH displays when you first connect to a host or add a key. It lets you verify that a key is the one you expect. Randomart is an ASCII-art rendering of the fingerprint that makes visual comparison quick and tamper-evident. Both are derived locally from your generated public key.