SSH Key Pair Generator

Generate Ed25519 or RSA SSH key pairs entirely in your browser.

Free in-browser SSH key generator. Create Ed25519 or RSA-2048/4096 key pairs with the Web Crypto API, exported as an OpenSSH public key and a PEM private key. Keys are generated locally and never leave your device. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Are the keys generated securely?

Yes. The tool uses the browser's Web Crypto (SubtleCrypto) API, which draws from a cryptographically secure random number generator. The same primitive backs HTTPS in your browser, so the entropy quality matches production crypto.

SSH key pairs authenticate you to servers without a password: the server holds your public key, and you prove ownership of the matching private key during the handshake. This generator creates a fresh pair in your browser using the Web Crypto API, then formats the public half as a one-line OpenSSH key and the private half as PEM.

How it works

  1. You choose Ed25519 or RSA (2048 or 4096 bits).
  2. The tool calls crypto.subtle.generateKey with that algorithm and an extractable flag.
  3. The public key is exported and re-encoded into the OpenSSH wire format: a length-prefixed key type string followed by the algorithm-specific public values, all Base64-encoded on a single ssh-... line.
  4. The private key is exported as PKCS#8 and wrapped in a PEM block.

For RSA the OpenSSH blob packs the public exponent e and modulus n as mpint values; for Ed25519 it packs the 32-byte public point. Both follow the same length-prefixed string encoding used by the SSH protocol.

Which algorithm should I choose?

Ed25519 is the right answer for almost everyone in 2026. It uses elliptic-curve Diffie-Hellman over Curve25519, produces a 32-byte private key and a 64-byte signature, and is supported by all modern OpenSSH versions (7.2+ from 2016 onward), GitHub, GitLab, Bitbucket, and cloud providers.

RSA 4096 is appropriate only when you must authenticate against an older system that predates Ed25519 support — legacy embedded devices, very old RHEL/CentOS installations, or some network appliances. RSA 2048 is acceptable for short-lived keys in legacy contexts but should be avoided for anything stored long-term.

Ed25519RSA 4096
Key size32 bytes private~3 KB private
Signature size64 bytes512 bytes
SpeedVery fastSlower verification
CompatibilityOpenSSH 7.2+Universally compatible
RecommendedYesLegacy only

Installing and using the key pair

On GitHub / GitLab / Bitbucket: Go to Settings → SSH Keys and paste the entire public key line (the ssh-ed25519 AAAA… string). Title it with something descriptive like laptop-2026.

On a Linux server: Append the public key to ~/.ssh/authorized_keys on the server:

echo "ssh-ed25519 AAAA..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Save the private key locally as ~/.ssh/id_ed25519 (or any name you choose) and set permissions:

chmod 600 ~/.ssh/id_ed25519

Then connect with ssh -i ~/.ssh/id_ed25519 user@host.

Security tips

  • Never share the private key. The public key (ssh-ed25519 AAAA…) is safe to share anywhere. The PEM private key must stay secret.
  • Add a passphrase with ssh-keygen -p -f ~/.ssh/id_ed25519 to encrypt the private key at rest. An SSH agent (ssh-agent, or macOS’s Keychain) can hold the decrypted key in memory so you don’t retype the passphrase on every use.
  • One key per device is the recommended practice — generate a fresh key on each machine rather than copying the same private key around. That way, revoking a lost laptop means removing one entry from authorized_keys, not rotating the key everywhere.
  • Keys generated here are discarded when you close the tab. Copy both halves before navigating away. Nothing is transmitted or persisted on any server.