All Tools About Blog Code Examples MCP Server — Use tools from AI agents
Workflows Paste Anything — Smart Detector Tool Pipeline Builder Bulk / Batch Processor
JSON Tools JSON Formatter & Beautifier JSON Validator JSON to CSV Converter JSON to TypeScript Generator JSON to Python Converter JSON Flatten & Unflatten jq Playground — JSON Processor JSON Mock Data Generator JSON Schema Validator JSONPath Evaluator JSON Schema Generator JSON Patch / Diff Generator
Encoding Tools Base64 Encoder / Decoder URL Encoder / Decoder Hash Generator (MD5/SHA) JWT Decoder HTML Entity Encoder / Decoder Image to Base64 Converter String Escape / Unescape Tool ASCII / Binary / Hex Converter Protobuf Decoder — Wire Format Viewer Encoding Detective — Mojibake Repair
Formatters HTML Beautifier XML Formatter & Validator SQL Formatter & Beautifier CSS Minifier & Beautifier JavaScript Minifier & Beautifier TOML Formatter & Converter YAML Formatter, Validator & Minifier
Generators UUID Generator Password Generator QR Code Generator Lorem Ipsum Generator Cron Expression Generator chmod Calculator Slug / URL Generator .gitignore Generator
Testing Tools Regex Tester Regex Explainer — Plain English
Security Tools HMAC Generator Content Security Policy Generator SSH Key Generator SSL Certificate Decoder CORS Header Builder & Generator
Design Tools Color Picker & Converter Placeholder Image Generator SVG Path Editor & Visualizer
Comparison Tools Diff Checker / Text Compare .env Diff & Merge
Converters JSON-YAML Converter Epoch / Unix Timestamp Converter Markdown to HTML Preview Curl to Fetch/Axios Converter Tailwind CSS Converter OpenAPI to TypeScript Text Case Converter Number Base Converter CSV Viewer & Editor Date & Time Format Converter SQL to MongoDB & N1QL Converter Semver Calculator & Comparator Byte / Size Calculator URL Parser & Builder Glob to Regex Converter Math Expression Evaluator SQL DDL to TypeScript Converter Duration / Time Calculator CSS Unit Converter — px, rem, em, pt, vw, vh JSON to Go Struct Converter HTML to Markdown Converter CSV to SQL Converter SQL to ORM Converter
Reference HTTP Status Code Explorer Git Command Builder GraphQL Schema Explorer MIME Type Lookup
Text Tools Word & Character Counter Text Line Sorter, Deduplicator & Tools
Networking Tools Subnet / CIDR Calculator
DevOps Tools Nginx Config Generator Docker Compose Validator Robots.txt Generator & Validator GitHub Actions YAML Validator

SSH Key Generator

Generate RSA and ECDSA SSH key pairs in your browser. Private keys never leave your device. Free online SSH keygen tool.

Your data never leaves your browser
Client-side only. Private keys generated here never leave your browser. No data is transmitted to any server.
ssh-keygen -t rsa -b 4096

Select a key type and click Generate Key Pair
Next steps
Passwords Hash Generator chmod Calc Base64

How to Use

  1. Select a key type: RSA (2048 or 4096 bits) or ECDSA (P-256 or P-384).
  2. Optionally add a comment (e.g., user@hostname) to identify the key.
  3. Click Generate Key Pair — the keys are created instantly in your browser.
  4. Copy or download the public key and add it to your server's ~/.ssh/authorized_keys file.
  5. Copy or download the private key, save it to ~/.ssh/, and set permissions with chmod 600.

What Are SSH Keys?

SSH keys are pairs of cryptographic keys used for authenticating to remote servers without passwords. Each pair consists of a private key (kept secret on your machine) and a public key (shared with servers you want to access). When you connect, the server challenges you with a puzzle that only the holder of the private key can solve, proving your identity without transmitting any secrets.

SSH key authentication is more secure than password authentication because the private key never leaves your machine, it cannot be brute-forced like a password, and it is immune to phishing attacks. Most cloud providers (AWS, GCP, Azure, DigitalOcean) recommend or require SSH key authentication for server access.

How Asymmetric Cryptography Works

SSH keys use asymmetric (public-key) cryptography, where the two keys in a pair are mathematically linked but it is computationally infeasible to derive the private key from the public key. For RSA, this relies on the difficulty of factoring the product of two large prime numbers. For ECDSA, it relies on the discrete logarithm problem over elliptic curves. Both problems are considered intractable for sufficiently large key sizes with current computing technology.

RSA vs ECDSA vs Ed25519

RSA is the oldest algorithm, introduced in 1977, and remains the most widely supported. A 4096-bit RSA key provides a security level roughly equivalent to 140 bits of symmetric encryption. RSA keys are larger (800+ characters for 4096-bit) and slower to generate, but work with virtually every SSH implementation in existence.

ECDSA (Elliptic Curve Digital Signature Algorithm) uses elliptic curve mathematics to achieve equivalent security with much smaller keys. A P-256 ECDSA key (~88 characters) provides security comparable to a 3072-bit RSA key. ECDSA is faster for both key generation and authentication. P-256 and P-384 are the most common curves, standardized by NIST.

Ed25519 is the modern recommendation for SSH keys. It uses the Curve25519 elliptic curve with the EdDSA signature scheme, offering the best performance, smallest key size, and resistance to several classes of implementation vulnerabilities that affect ECDSA. Unfortunately, the Web Crypto API does not yet support Ed25519, so this tool cannot generate them — use ssh-keygen -t ed25519 on your local machine instead.

Setting Up SSH Keys

After generating a key pair, save the private key to your local ~/.ssh/ directory and set strict permissions:

  • chmod 700 ~/.ssh — directory must be accessible only by you
  • chmod 600 ~/.ssh/id_rsa — private key must be readable only by you
  • chmod 644 ~/.ssh/id_rsa.pub — public key can be world-readable

Copy the public key to the remote server by appending it to ~/.ssh/authorized_keys. The easiest method is ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname. For cloud services like GitHub, AWS, or GitLab, paste the public key into their web interface under SSH key settings.

Security Best Practices

  • Never share your private key. Treat it like a password. If compromised, revoke it immediately by removing its corresponding public key from all authorized_keys files.
  • Use a passphrase. Adding a passphrase to your private key provides a second layer of protection if the key file is stolen. Use ssh-keygen -p -f ~/.ssh/id_rsa to add a passphrase after generation.
  • Use one key per device. Generate separate key pairs for each computer or service. This allows you to revoke access for a single device without affecting others.
  • Prefer Ed25519 for production. Generate Ed25519 keys with ssh-keygen -t ed25519 when your infrastructure supports it. Fall back to RSA 4096 for maximum compatibility.
  • Rotate keys periodically. Replace SSH keys every 1-2 years, especially for high-security systems. Remove old public keys from servers when rotating.
  • Disable password authentication. Once SSH keys are set up, disable password login in /etc/ssh/sshd_config by setting PasswordAuthentication no.

Key Formats Explained

This tool exports the private key in PKCS#8 PEM format, a standard encoding that works with OpenSSH 7.8+ and most other SSH clients. Older OpenSSH versions used a custom PEM format (beginning with -----BEGIN RSA PRIVATE KEY-----), but PKCS#8 (beginning with -----BEGIN PRIVATE KEY-----) is the modern standard and is supported by OpenSSH, PuTTY (via conversion), and all major libraries.

The public key is in OpenSSH format — a single line starting with the algorithm name (e.g., ssh-rsa or ecdsa-sha2-nistp256), followed by base64-encoded key data, and an optional comment. This is the format used in ~/.ssh/authorized_keys files and by services like GitHub and GitLab.

Related Tools

Generate secure passwords with the Password Generator. Compute SHA-256 hashes with the Hash Generator. Calculate Unix file permissions with the Chmod Calculator. Encode binary data with the Base64 Encoder.

Frequently Asked Questions

Are the keys generated securely?
Yes. Keys are generated entirely in your browser using the Web Crypto API (crypto.subtle.generateKey), the same cryptographic engine used by TLS, password managers, and other security software. No data is ever sent to any server — you can verify this by disconnecting from the internet before generating.
What is the difference between RSA and ECDSA keys?
RSA is the oldest and most widely supported algorithm. A 4096-bit RSA key provides strong security but is larger and slower. ECDSA (Elliptic Curve) provides equivalent security with much shorter keys — a 256-bit ECDSA key offers comparable security to a 3072-bit RSA key. ECDSA keys are faster to generate and use less bandwidth during SSH handshakes.
Why is Ed25519 not available?
Ed25519 is the recommended key type for modern SSH, but the Web Crypto API in browsers does not yet support the Ed25519 algorithm for key generation. To generate Ed25519 keys, use ssh-keygen -t ed25519 on your local machine. Browser support is expected to arrive in the future.
What key type should I choose?
For most use cases, RSA 4096 is the safest default — it is universally supported and provides strong security. If you need smaller keys and faster authentication, ECDSA P-256 is a good choice. For production servers, generate Ed25519 keys locally with ssh-keygen.
Can I use these keys for production servers?
The keys are cryptographically valid, but for production use we recommend generating keys with ssh-keygen on your local machine. Local generation keeps the private key on disk without ever being in browser memory, and supports Ed25519, which is the current best practice for SSH keys.
What is the fingerprint used for?
The fingerprint is a short SHA-256 hash of the public key. It provides a human-readable way to verify key identity — for example, when you first connect to a server, SSH shows you the server key fingerprint so you can confirm you are connecting to the right host.

Related Tools

HMAC Generator

Generate HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, and HMAC-SHA1 keyed-hash signatures.

Content Security Policy Generator

Generate Content Security Policy headers with an interactive builder. Configure all CSP directives with presets and custom domains.

SSL Certificate Decoder

Decode PEM-encoded SSL/TLS certificates and view subject, issuer, validity dates, SANs, and key information.

CORS Header Builder & Generator

Generate CORS headers interactively. Output as HTTP headers, Nginx config, Express middleware, or Apache .htaccess.

Paste Anything — Smart Detector

Paste any text and instantly detect its format — JSON, JWT, Base64, UUID, SQL, timestamps, colors, and more.

AI agent tools available. The CodeTidy MCP Server gives Claude, Cursor, and other AI agents access to 47 developer tools. One command: npx @codetidy/mcp

Drop file to load