Setting up SSH keys, properly, on any OS
What this is
The full path from "no key" to "logging in everywhere with keys": generate, deploy, and the quality-of-life pieces most guides skip. Why bother is covered elsewhere in one line, no password to guess, brute force pointless, no more banned IPs, this page is the how.
One concept before the commands: a key is a pair of files. The private key stays on your device, is never uploaded anywhere, and is the thing to protect. The public key (the .pub file) is what you hand out, to your VPS, to GitHub, to anyone, it's called public because it is.
Generate the pair (same command everywhere)
Windows 10/11 (PowerShell), macOS (Terminal), and Linux all ship the same OpenSSH tooling now, no PuTTYgen required:
ssh-keygen -t ed25519
- Accept the default location (
~/.ssh/id_ed25519andid_ed25519.pub; on Windows,C:\Users\you\.ssh\). - Set a passphrase. It encrypts the private key on disk, so a stolen laptop doesn't equal stolen server access, and the agent (below) means you type it rarely.
ed25519is the modern default: small, fast, strong. (Only fall back to-t rsa -b 4096for ancient systems that don't speak it.)
Print the public half whenever you need to paste it: cat ~/.ssh/id_ed25519.pub, one line starting ssh-ed25519 ....
Get it onto your VPS
- Before the VPS exists (the best way): save the public key on the SSH Keys page, or import it straight from your GitHub/GitLab account, then select it on the deploy or reinstall form. The server is born trusting your key, and with key-only login mode there was never a password to attack.
- On a running server: from your machine,
ssh-copy-id [email protected]
does everything (appends the key to ~/.ssh/authorized_keys with correct permissions). Doing it by hand instead: append the .pub line to ~/.ssh/authorized_keys on the server, and make sure permissions are strict, 700 on ~/.ssh, 600 on the file, SSH refuses keys in sloppy directories.
Then test (ssh [email protected] should log in without a password) and, once it works, turn off password login.
The agent: type the passphrase once
The ssh-agent holds your unlocked key for the session, so the passphrase costs you one entry, not one per connection:
ssh-add
macOS remembers across reboots via the keychain; on Windows, enable the OpenSSH Authentication Agent service once (Services app, set to Automatic) and ssh-add works the same way.
The ~/.ssh/config file: stop typing IPs
The most underrated file in the toolchain, define your servers once:
Host web
HostName 203.0.113.5
User deploy
IdentityFile ~/.ssh/id_ed25519
Port 22
From then on, ssh web, and every tool that speaks SSH (scp, rsync, SFTP clients, IDEs) understands the alias too. Changed your SSH port? Update it here once instead of in every command.
Multiple devices, revocation, and clients
- One key per device (laptop, desktop, work machine), not one key copied everywhere. Add each public key to the server;
authorized_keyshappily holds many lines. - Revoking a device is deleting its line from
authorized_keys. That granularity is the payoff of per-device keys. - FileZilla and WinSCP use the same key for SFTP, point them at the key file. WinSCP and PuTTY historically wanted their own
.ppkformat; both convert OpenSSH keys, though if you're starting fresh, the built-insshclient makes PuTTY optional entirely.
When it doesn't work
- Still asked for a password: the server didn't accept the key, wrong username (the key went to
rootbut you're connecting asdeploy?), key not in that user'sauthorized_keys, or permissions too loose (checkls -la ~/.sshon the server).ssh -v webprints which keys were offered and what the server said, and that verbose output is dense, pasting it whole into an AI chatbot gets it decoded line by line. - "WARNING: UNPROTECTED PRIVATE KEY FILE" on your machine: your private key's permissions are too open,
chmod 600 ~/.ssh/id_ed25519. - Locked out after enabling key-only: the Console doesn't use SSH, get in there and fix
authorized_keysor re-enable password auth.
Still need help?
You can open a support ticket. So we can help on the first reply, it's worth mentioning:
- the VPS hostname or IP,
- your OS, and where it fails (generating, deploying, or logging in),
- the
ssh -voutput for a failing login.
Related questions
- "How do I generate an SSH key on Windows / Mac / Linux?"
- "What's the difference between the private and public key?"
- "How do I add my SSH key to my VPS?"
- "How do I use the same key with FileZilla or WinSCP?"
- "How do I set up the ssh config file with an alias?"
- "How do I remove a device's access to my server?"