Skip to content

SSH Key Generator Guide: Create and Install an Ed25519 Key

How SSH keys work, why Ed25519 is the modern default, and how to generate, protect and install a key pair — all without trusting a server with your private key.

Open the SSH Key Generator →

What this tool does

The SSH Key Generator creates a public/private key pair in the OpenSSH format your SSH client and Git host expect. It runs the key generation in your browser with the Web Crypto API, so the private key — the secret half — is created on your machine and never sent anywhere. The output is byte-for-byte the same format as ssh-keygen.

How SSH keys work

An SSH key pair is asymmetric: the private key stays on your computer, and the matching public key is placed on the server. When you connect, the server challenges you to prove you hold the private key, without it ever crossing the network. That is why key auth is stronger than a password — there is no shared secret to steal in transit, and the private key can (and should) be protected with a passphrase.

Ed25519 or RSA?

Choose Ed25519. It produces small, fast keys with excellent security and is supported by every current system, including GitHub and GitLab. RSA is only for legacy hosts that lack Ed25519 support; if you need it, use 4096 bits. Older DSA and ECDSA-with-weak-curves keys are best avoided entirely.

Installing the key

Save the private key and install the public key where you want to log in:

# save the private key and lock it down
mv id_ed25519 ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519

# add a passphrase (recommended)
ssh-keygen -p -f ~/.ssh/id_ed25519

# a server: append the PUBLIC key to authorized_keys
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@host

# a Git host: paste the PUBLIC key into Settings → SSH keys

Only ever share the .pub file. The private key is a credential — treat it like a password.

Protecting the private key

This tool outputs an unencrypted private key so it works in any browser without extra dependencies. Add a passphrase immediately with ssh-keygen -p as shown above; that encrypts the on-disk key so a stolen laptop does not hand over your access. Combined with an SSH agent, you type the passphrase once per session, not per connection.

Privacy

Everything happens in your browser. The private key is generated locally and is never transmitted — you can disconnect from the network after the page loads and generation still works. Generating keys on a remote server, by contrast, requires trusting that server with the one secret you should never share.

Ready to try it? Open the SSH Key Generator →

Related guides