Generate new ssh keys in Windows 10 / 11
Categories:
Generate New SSH Keys in Windows 10/11 for Secure Connections
Learn how to create, manage, and use SSH keys on Windows 10 and 11 to establish secure, passwordless connections to remote servers and services like GitHub or GitLab.
SSH (Secure Shell) keys provide a more secure and convenient way to authenticate with remote servers than traditional password-based logins. Instead of typing a password every time, you use a pair of cryptographic keys: a private key (kept secret on your local machine) and a public key (uploaded to the remote server). This guide will walk you through the process of generating new SSH keys on Windows 10 and 11 using the built-in ssh-keygen utility, and how to use them.
Understanding SSH Key Pairs
Before diving into the generation process, it's important to understand what an SSH key pair is and how it works. An SSH key pair consists of two files:
- Public Key: This key can be shared freely. You'll upload it to any server or service (e.g., GitHub, AWS, your own VPS) you want to connect to. When you attempt to connect, the server uses this public key to verify your identity.
- Private Key: This key must be kept absolutely secret and secure on your local machine. It's like the master key to your digital identity for SSH connections. If someone gains access to your private key, they can impersonate you on any system where your public key is installed. It's often protected with a passphrase for an extra layer of security.
graph TD
A[Your Local Machine] --> B{SSH Client}
B --> C[Private Key (id_rsa)]
C -- Authenticates with --> D[Remote Server]
D --> E[Public Key (id_rsa.pub)]
E -- Verifies identity --> C
D -- Grants Access --> F[Remote Resource]
subgraph Authentication Flow
C -- Encrypts Challenge --> D
D -- Decrypts Challenge --> C
endSSH Key Authentication Flow
Generating SSH Keys on Windows 10/11
Windows 10 (version 1803 and later) and Windows 11 include an OpenSSH client by default, which means you can use the ssh-keygen command directly from PowerShell or Command Prompt. This eliminates the need for third-party tools like PuTTY for basic key generation.
1. Open PowerShell or Command Prompt
Search for "PowerShell" or "cmd" in the Windows search bar and open it. Running it as an administrator is not strictly necessary for key generation but can be useful for other SSH-related tasks.
2. Run the ssh-keygen command
In the terminal, type the following command and press Enter:
ssh-keygen -t rsa -b 4096
-t rsa: Specifies the key type as RSA. While newer algorithms like Ed25519 are available and often recommended, RSA is still widely supported.-b 4096: Sets the number of bits in the key to 4096, which is a strong and recommended key length.
3. Choose a file to save the key
The command will prompt you to "Enter a file in which to save the key". The default location is C:\Users\your_username\.ssh\id_rsa. Press Enter to accept the default, or specify a different path and filename if you want to manage multiple keys. It's generally good practice to use the default unless you have a specific reason not to.
4. Enter a passphrase (optional but recommended)
You'll be prompted to "Enter passphrase (empty for no passphrase)". A passphrase adds an extra layer of security to your private key. If someone gains access to your private key file, they still won't be able to use it without the passphrase. It's highly recommended to set a strong passphrase. You'll need to enter it twice for confirmation. If you choose not to use a passphrase, just press Enter twice.
5. Verify key generation
After entering the passphrase (or leaving it empty), the utility will generate your key pair and display a confirmation message, including the key's randomart image. You can then navigate to the .ssh directory to see your newly created id_rsa (private key) and id_rsa.pub (public key) files.
ssh-keygen -t rsa -b 4096
# Output example:
# Generating public/private rsa key pair.
# Enter file in which to save the key (C:\Users\your_username\.ssh\id_rsa):
# Enter passphrase (empty for no passphrase):
# Enter same passphrase again:
# Your identification has been saved in C:\Users\your_username\.ssh\id_rsa.
# Your public key has been saved in C:\Users\your_username\.ssh\id_rsa.pub.
# The key fingerprint is:
# SHA256:...
# The key's randomart image is:
# +---[RSA 4096]----+
# | .o. |
# | . . |
# | . . |
# | . o |
# | . o S |
# | . + = |
# | . + = |
# | o B o |
# | E * = |
# +----[SHA256]-----+
Example output of the ssh-keygen command
ssh-keygen -t ed25519. It's generally faster and provides comparable or better security than RSA with smaller key sizes. However, ensure your remote server supports it.Using Your New SSH Key
Once your SSH key pair is generated, the next step is to add your public key to the remote service or server you wish to connect to. The private key remains on your local machine.
1. Copy your public key
You can view and copy the contents of your public key file (id_rsa.pub) using a text editor or the cat command in PowerShell:
cat C:\Users\your_username\.ssh\id_rsa.pub
Copy the entire output, which starts with ssh-rsa (or ssh-ed25519) and ends with your username and hostname.
2. Add the public key to your remote service/server
The exact steps vary depending on the service:
GitHub/GitLab/Bitbucket: Go to your account settings, find the "SSH and GPG keys" or "SSH keys" section, and add a new SSH key. Paste the copied public key content into the provided field.
Linux Server (e.g., AWS EC2, DigitalOcean Droplet): Connect to your server using a password or existing key. Then, append your public key to the
~/.ssh/authorized_keysfile. If the.sshdirectory orauthorized_keysfile doesn't exist, create them with appropriate permissions.mkdir -p ~/.sshchmod 700 ~/.sshecho "YOUR_PUBLIC_KEY_CONTENT" >> ~/.ssh/authorized_keyschmod 600 ~/.ssh/authorized_keys
3. Test your SSH connection
After adding the public key, try connecting to the remote service or server. For example, to connect to a Git repository:
git clone git@github.com:your_username/your_repo.git
Or to an SSH server:
ssh your_username@your_server_ip
If you set a passphrase, you will be prompted to enter it. If the connection is successful, you've successfully set up SSH key authentication.
id_rsa) with anyone. Keep it secure on your local machine. If you suspect your private key has been compromised, generate a new one immediately and revoke the old public key from all services.