Generating SSH Keys on Your Computer

1 Introduction
2 Linux, MacOS, Windows PowerShell, Windows Subsystem for Linux (WSL)
3 Windows GUI SSH Clients

Introduction

There are a variety of ways to generate SSH keys on your local computer, depending on its operating system. Linux, MacOS, other Unix-family operating systems, Windows Subsystem for Linux (WSL), and Windows PowerShell all provide a command-line interface (CLI) that can be used to generate SSH keys.

If your computer is running Windows, there are SSH clients available that generate SSH keys via a graphical user interface (GUI). See the Windows GUI Clients section below.

Linux, MacOS, Windows PowerShell, Windows Subsystem for Linux (WSL)

Linux, MacOS, Windows PowerShell, and WSL each provide a CLI that: (i) displays a prompt, (ii) waits for you to type a command and press Enter (or Return), (iii) performs that command and displays its textual output, and then (iv) displays the prompt again, to let you know it is ready for your next command. By doing this over and over, the CLI provides a text-based interface for interacting with your computer.

To generate your SSH keys via a CLI, launch a Terminal on Linux, MacOS, or WSL. (On Windows, launch a PowerShell or CMD window.) The CLI will display a prompt ($ represents the prompt in this document). You may then generate the SSH keys for your computer by following these steps:

1. Check that an ssh client is installed on your system. Enter the ssh command. If you have an ssh client installed, it will display a ‘usage’ message, something like the one shown below, and then redisplay the prompt to show that it is awaiting your next command:

$ ssh
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command]
$

If you do not have an ssh client installed, then the CLI will respond with an error message, such as Command not found: ssh. You will need to install the ssh software suite before proceeding.

2. Use the ssh-keygen command to generate your SSH keys. The following example invokes ssh-keygen and tells it to generate SSH keys (aka your key pair) using the ed25519 encryption algorithm, which is the algorithm recommended for ACCESS users:

$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/yourName/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase): <Enter an uncommon passphrase here>
Enter same passphrase again: <repeat your uncommon passphrase here>
Your identification has been saved in /home/yourName/.ssh/id_ed25519.
Your public key has been saved in /home/yourName/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:zOnCNsomelongstringofcharactersandsymbols+uQ yourName@yourMachine.example.net
The key's randomart image is:
+--[ED25519 256]--+
|      ...oo.    .|
|      ...  ..   o|
|       .o  .. o o|
|       o +  .+ OX|
|        S  .. X=O|
|     . o .  o+=Fo|
|      o .  ..=o+ |
|       .  .  B+  |
|           .*.o. |
+----[SHA256]-----+
$

When ssh-keygen prompts you to enter a file name, you may press the Enter (or Return) key to accept the default file names. Using the ed25519 algorithm, ssh-keygen will store your private key in a file named id_ed25519 and your public key in a file named id_ed25519.pub.

When ssh-keygen prompts you to enter a passphrase, it is good security practice to enter an uncommon phrase as your passphrase, such as 3 words that are unrelated except that they are meaningful to you. (Common phrases are vulnerable to dictionary attacks.) You will need to enter this passphrase each time you use an SSH client to connect to an ACCESS system, so make it one you can easily remember. If you just press the Enter (or Return) key when ssh-keygen prompts you for the passphrase, then you avoid the need to remember / enter a passphrase when using an SSH client to connect to a remote system, but anyone with access to your computer will be able to use its SSH client to connect to your account on that system, rending it vulnerable.

When finished, ssh-keygen has created two text files--id_ed25519 containing your private key and id_ed25519.pub containing your public key--and stored them in the hidden .ssh subdirectory of your home directory. (If the .ssh subdirectory doesn’t already exist, ssh-keygen will create it for you.)

On Unix-family systems, you can verify that the two files were created using the ls command (dir on Windows systems):

$ ls -l ~/.ssh
total 24
-rw-------  1 yourName  yourGroup   505 Aug 25 16:18 id_ed25519
-rw-r--r--  1 yourName  yourGroup   176 Aug 25 16:18 id_ed25519.pub
-rw-------  1 yourName  yourGroup  2993 Aug 10 11:51 known_hosts
$

(The contents of your .ssh folder may look slightly different than what is shown above.)

3. (Optional) Copy your SSH public key to your system clipboard for subsequent distribution. On Unix-family systems, you can view the contents of id_ed25519.pub by using the cat command (type on Windows systems):

Your public key is the entire line that begins with ssh-ed25519. Once you can see the entirety of your public key, use your computer’s mouse to select / highlight that entire line. You can then copy your highlighted public key to your system clipboard using the Ctrl-C shortcut (or Cmd-C on MacOS) or by right-clicking on the highlighted text and choosing Copy from the context menu that appears.

With your public key on the clipboard, you can paste it into any application (or email message) where it is needed. (For example, see the Uploading Your Public Key page.)

Windows GUI SSH Clients

For Windows users, there are several third-party SSH client that provide a graphical user interface and can generate SSH keys. Popular SSH clients that provide GUIs for different operating systems include Bitvise SSH client, MobaXterm, and PuTTY.

Bitvise SSH client is an SSH Terminal client and file transfer client that supports GUI drag-n-drop file transfers. This is convenient for securely transferring files between your computer and a remote system. If your project requires many file transfers, consider Bitvise.
MobaXterm is an SSH Terminal client that includes an X-server. The X-server allows it to display graphical output produced by applications running on a remote Linux system (i.e., an ACCESS RP). If your project involves a remote application that produces graphical output, consider MobaXterm.
PuTTY is a no-frills SSH Terminal client.

As third-party software, if they are not already installed on your computer, you will need to download and install one of these clients before proceeding.

Bitvise

Bitvise can be used to generate SSH keys as follows:

1. Launch the BitVise SSH client application. Its initial window has the following appearance:

2. Click the Client key manager link.

This will cause a Client Key Manager window to appear.

3. Click the Generate New button.

This will cause a Generate New Keypair dialog to appear.

4. Under Algorithm, choose Ed25519 as the encryption algorithm to be used.

5. Under Passphrase and Confirm passphrase, enter your passphrase.

It is good security practice to enter an uncommon phrase as your passphrase, such as 3 words that are unrelated except that they are meaningful to you. (Common phrases are vulnerable to dictionary attacks.) You will need to enter this passphrase each time you use an SSH client to connect to an ACCESS system, so make it something you can easily remember. If you leave these fields blank, then you avoid the need to remember / enter a passphrase when using an SSH client to connect to a remote system, but anyone with access to your computer will be able to use its SSH client to connect to your account on that system, rending it vulnerable.

6. Click the Generate button.

This will return you to the Client Key Manager window, with an entry for your newly generated keys:

Congratulations--you have generated your SSH keys!

If you use Bitvise as your SSH client for connecting to an ACCESS system, it will automatically use these keys.

To distribute your public key to ACCESS RPs, copy your key to your system clipboard, continue with steps 7-11 below.

7. To save your keys outside of Bitvise, click the Export button.

An Export Public or Private Key dialog will appear, in which Export public key should already be selected.

8. Choose the OpenSSH format option; then click the Export button.

9. Use your system’s Save file dialog box to save your public key. Store it in place you can easily locate (e.g., on your Desktop), and with a descriptive name, such as id_ed25519.pub.

10. Open the file containing your public key in any text editor (e.g., Notepad):

11. In the text-editor, select the line beginning with ssh-ed25519, right-click, and choose Copy from the context menu that appears:

Your public key is now on your system clipboard, ready to be pasted elsewhere. (For example, see the Uploading Your Public Key page.)

MobaXterm

MobaXterm can be used to generate SSH keys as follows:

1. Launch the MobaXterm application. The initial screen will look something like this:

2. Click the Tools button and select MobaKeyGen (SSH key generator) on the menu that appears:

This will bring up the MobaXterm SSH Key Generator window.

3. Under Parameters at the bottom of the MobaXterm SSH Key Generator window, first select the EdDSA choice; then click the Generate button:

You will need to move your mouse around within the window, as MobaXterm uses the random movements of the mouse in generating the two keys. When it has finished, your public key and some new textboxes will appear in the MobaXterm SSH Key Generator window.

4. Enter your passphrase in the Key passphrase and Confirm passphrase boxes:

It is good security practice to enter an uncommon phrase as your passphrase, such as 3 words that are unrelated except that they are meaningful to you. (Common phrases are vulnerable to dictionary attacks.) You will need to enter this passphrase each time you use an SSH client to connect to an ACCESS system, so make it something you can easily remember. If you leave these fields blank, then you avoid the need to remember / enter a passphrase when using an SSH client to connect to a remote system, but anyone with access to your computer will be able to use its SSH client to connect to your account on that system, rending it vulnerable.

5. Use the Save public key and Save private key buttons to save your public and private keys.

Each button will bring up a system Save file dialog that you can use to give each file a unique filename. Save these keys to a safe location on your computer--a place to which only you have access.

If you intend to use MobaXterm as your ssh client, be sure to save your private key in a file whose name ends with .ppk (e.g., ed25519.ppk) and your public key in a file whose name ends with .pub (e.g., ed25519.pub).

6. To copy your public key to the system clipboard, look in the box beneath Public key for pasting into OpenSSH server. There, select / highlight the entire line beginning with ssh-ed25519. Then right-click, and choose Copy from the context menu that appears:

Your public key is now on your system clipboard, ready to be pasted elsewhere. (For example, see the Uploading Your Public Key page.)

7. (Optional) To save your public key in OpenSSH format, click the Conversions menu and then choose Export OpenSSH key from the menu that appears:

This will bring up a system Save file dialog that you can use to give a unique filename (e.g., id_ed25519.pub) to the file containing your OpenSSH formatted public key.

PuTTY

PuTTY--well, more precisely, the puttygen utility that comes with PuTTY--can be used to generate SSH keys as follows:

1. Launch PuttyGen by finding it in the Windows Start menu (under PuTTY) or entering puttygen in the Windows search box. This will bring up the PuTTY Key Generator window:

2. Under Parameters at the bottom of the MobaXterm SSH Key Generator window, first select the EdDSA choice; then click the Generate button:

You will need to move your mouse around within the window, as PuTTY’s Key Generator uses the random movements of the mouse in generating the two keys. When it has finished, your public key and some new textboxes will appear in the PuTTY SSH Key Generator window.

3. Enter your passphrase in the Key passphrase and Confirm passphrase boxes:

It is good security practice to enter an uncommon phrase as your passphrase, such as 3 words that are unrelated except that they are meaningful to you. (Common phrases are vulnerable to dictionary attacks.) You will need to enter this passphrase each time you use an SSH client to connect to an ACCESS system, so make it something you can easily remember. If you leave these fields blank, then you avoid the need to remember / enter a passphrase when using an SSH client to connect to a remote system, but anyone with access to your computer will be able to use its SSH client to connect to your account on that system, rending it vulnerable.

4. Use the Save public key and Save private key buttons to save your public and private keys.

Each button will bring up a system Save file dialog that you can use to give each file a unique filename. Save these keys to a safe location on your computer--a place to which only you have access.

If you intend to use PuTTY as your ssh client, be sure to save your private key in a file whose name ends with .ppk (e.g., ed25519.ppk) and your public key in a file whose name ends with .pub (e.g., ed25519.pub).

5. To copy your public key to the system clipboard, look in the box beneath Public key for pasting into OpenSSH server. There, select / highlight the entire line beginning with ssh-ed25519. Then right-click, and choose Copy from the context menu that appears:

Your public key is now on your system clipboard, ready to be pasted elsewhere. (For example, see the Uploading Your Public Key page.)

6. (Optional) To save your OpenSSH formatted public key in a file, click the Conversions menu and then choose Export OpenSSH key from the menu that appears:

This will bring up a system Save file dialog that you can use to save your OpenSSH formatted public key in a file. Use a unique filename (e.g., id_ed25519.pub) and store it in a place where you can easily find it.

Locating and Copying Your Public Key

One way to hide your SSH keypair is to store them in a hidden folder C:\Users\yourUserName\.ssh, where you need to replace yourUserName with your actual Windows user name. From there, you can access the files (e.g., from an SSH client) as necessary.

For example, if you need to retrieve your OpenSSH formatted public key and it is stored in a file named id_ed25519.pub, this file is a simple text file that you may open the file with any text editor (e.g., Notepad):

You may then copy your public key from that file to the system clipboard by:

selecting / highlighting your key within the text editor and then
using Ctrl-C or right-clicking on the selection and choosing Copy from the context menu.

With your public key on the clipboard, you can paste it into any application (or email message) where it is needed. For example, see the Uploading Your Public Key page.