SSH key pairs authenticate you to servers without a password: the server holds your public key, and you prove ownership of the matching private key during the handshake. This generator creates a fresh pair in your browser using the Web Crypto API, then formats the public half as a one-line OpenSSH key and the private half as PEM.
How it works
- You choose Ed25519 or RSA (2048 or 4096 bits).
- The tool calls
crypto.subtle.generateKeywith that algorithm and an extractable flag. - The public key is exported and re-encoded into the OpenSSH wire format: a length-prefixed key type string followed by the algorithm-specific public values, all Base64-encoded on a single
ssh-...line. - The private key is exported as PKCS#8 and wrapped in a PEM block.
For RSA the OpenSSH blob packs the public exponent e and modulus n as mpint values; for Ed25519 it packs the 32-byte public point. Both follow the same length-prefixed string encoding used by the SSH protocol.
Which algorithm should I choose?
Ed25519 is the right answer for almost everyone in 2026. It uses elliptic-curve Diffie-Hellman over Curve25519, produces a 32-byte private key and a 64-byte signature, and is supported by all modern OpenSSH versions (7.2+ from 2016 onward), GitHub, GitLab, Bitbucket, and cloud providers.
RSA 4096 is appropriate only when you must authenticate against an older system that predates Ed25519 support — legacy embedded devices, very old RHEL/CentOS installations, or some network appliances. RSA 2048 is acceptable for short-lived keys in legacy contexts but should be avoided for anything stored long-term.
| Ed25519 | RSA 4096 | |
|---|---|---|
| Key size | 32 bytes private | ~3 KB private |
| Signature size | 64 bytes | 512 bytes |
| Speed | Very fast | Slower verification |
| Compatibility | OpenSSH 7.2+ | Universally compatible |
| Recommended | Yes | Legacy only |
Installing and using the key pair
On GitHub / GitLab / Bitbucket: Go to Settings → SSH Keys and paste the entire public key line (the ssh-ed25519 AAAA… string). Title it with something descriptive like laptop-2026.
On a Linux server: Append the public key to ~/.ssh/authorized_keys on the server:
echo "ssh-ed25519 AAAA..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Save the private key locally as ~/.ssh/id_ed25519 (or any name you choose) and set permissions:
chmod 600 ~/.ssh/id_ed25519
Then connect with ssh -i ~/.ssh/id_ed25519 user@host.
Security tips
- Never share the private key. The public key (
ssh-ed25519 AAAA…) is safe to share anywhere. The PEM private key must stay secret. - Add a passphrase with
ssh-keygen -p -f ~/.ssh/id_ed25519to encrypt the private key at rest. An SSH agent (ssh-agent, or macOS’s Keychain) can hold the decrypted key in memory so you don’t retype the passphrase on every use. - One key per device is the recommended practice — generate a fresh key on each machine rather than copying the same private key around. That way, revoking a lost laptop means removing one entry from
authorized_keys, not rotating the key everywhere. - Keys generated here are discarded when you close the tab. Copy both halves before navigating away. Nothing is transmitted or persisted on any server.