List of Articles Icon

Knowledge Base

Guides and answers for your VPS, the client area, and billing

Setting up SSH keys, properly, on any OS

What this is

The full path from "no key" to "logging in everywhere with keys": generate, deploy, and the quality-of-life pieces most guides skip. Why bother is covered elsewhere in one line, no password to guess, brute force pointless, no more banned IPs, this page is the how.

One concept before the commands: a key is a pair of files. The private key stays on your device, is never uploaded anywhere, and is the thing to protect. The public key (the .pub file) is what you hand out, to your VPS, to GitHub, to anyone, it's called public because it is.

Generate the pair (same command everywhere)

Windows 10/11 (PowerShell), macOS (Terminal), and Linux all ship the same OpenSSH tooling now, no PuTTYgen required:

ssh-keygen -t ed25519
  • Accept the default location (~/.ssh/id_ed25519 and id_ed25519.pub; on Windows, C:\Users\you\.ssh\).
  • Set a passphrase. It encrypts the private key on disk, so a stolen laptop doesn't equal stolen server access, and the agent (below) means you type it rarely.
  • ed25519 is the modern default: small, fast, strong. (Only fall back to -t rsa -b 4096 for ancient systems that don't speak it.)

Print the public half whenever you need to paste it: cat ~/.ssh/id_ed25519.pub, one line starting ssh-ed25519 ....

Get it onto your VPS

  • Before the VPS exists (the best way): save the public key on the SSH Keys page, or import it straight from your GitHub/GitLab account, then select it on the deploy or reinstall form. The server is born trusting your key, and with key-only login mode there was never a password to attack.
  • On a running server: from your machine,
ssh-copy-id [email protected]

does everything (appends the key to ~/.ssh/authorized_keys with correct permissions). Doing it by hand instead: append the .pub line to ~/.ssh/authorized_keys on the server, and make sure permissions are strict, 700 on ~/.ssh, 600 on the file, SSH refuses keys in sloppy directories.

Then test (ssh [email protected] should log in without a password) and, once it works, turn off password login.

The agent: type the passphrase once

The ssh-agent holds your unlocked key for the session, so the passphrase costs you one entry, not one per connection:

ssh-add

macOS remembers across reboots via the keychain; on Windows, enable the OpenSSH Authentication Agent service once (Services app, set to Automatic) and ssh-add works the same way.

The ~/.ssh/config file: stop typing IPs

The most underrated file in the toolchain, define your servers once:

Host web
    HostName 203.0.113.5
    User deploy
    IdentityFile ~/.ssh/id_ed25519
    Port 22

From then on, ssh web, and every tool that speaks SSH (scp, rsync, SFTP clients, IDEs) understands the alias too. Changed your SSH port? Update it here once instead of in every command.

Multiple devices, revocation, and clients

  • One key per device (laptop, desktop, work machine), not one key copied everywhere. Add each public key to the server; authorized_keys happily holds many lines.
  • Revoking a device is deleting its line from authorized_keys. That granularity is the payoff of per-device keys.
  • FileZilla and WinSCP use the same key for SFTP, point them at the key file. WinSCP and PuTTY historically wanted their own .ppk format; both convert OpenSSH keys, though if you're starting fresh, the built-in ssh client makes PuTTY optional entirely.

When it doesn't work

  • Still asked for a password: the server didn't accept the key, wrong username (the key went to root but you're connecting as deploy?), key not in that user's authorized_keys, or permissions too loose (check ls -la ~/.ssh on the server). ssh -v web prints which keys were offered and what the server said, and that verbose output is dense, pasting it whole into an AI chatbot gets it decoded line by line.
  • "WARNING: UNPROTECTED PRIVATE KEY FILE" on your machine: your private key's permissions are too open, chmod 600 ~/.ssh/id_ed25519.
  • Locked out after enabling key-only: the Console doesn't use SSH, get in there and fix authorized_keys or re-enable password auth.

Still need help?

You can open a support ticket. So we can help on the first reply, it's worth mentioning:

  • the VPS hostname or IP,
  • your OS, and where it fails (generating, deploying, or logging in),
  • the ssh -v output for a failing login.
  • "How do I generate an SSH key on Windows / Mac / Linux?"
  • "What's the difference between the private and public key?"
  • "How do I add my SSH key to my VPS?"
  • "How do I use the same key with FileZilla or WinSCP?"
  • "How do I set up the ssh config file with an alias?"
  • "How do I remove a device's access to my server?"
Last reviewed: 2026-07-02