Windows 10 OpenSSH – Creating a new private/public key pair

August 24th, 2019 by Richy B. Leave a reply »

This article is the fourth of a series I’ve written about migrating from using PuTTy on Windows to using the native OpenSSH client now available on Windows 10: you can read the rest of the articles via:

  1. Installation
  2. Storing keys using the SSH Agent
  3. Importing existing keys
  4. Creating a new public/private key pair < You are here
  5. Other useful OpenSSH commands
  6. Configuring Windows Git

If you need a new SSH key pair for Github, Bitbucket, AWS, your own SSH server etc, then the easiest way to generate one is from your user’s PowerShell using the command:
ssh-keygen -o
(the -o argument indicates to use the newer OpenSSH format rather than the pre-2014 older PEM format)

This will produce output such as:

ssh-keygen -o
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\userName/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\userName/.ssh/id_rsa.
Your public key has been saved in C:\Users\userName/.ssh/
The key fingerprint is:
SHA256:9hLEuBRdTBGDmAWxaDXhSwvqYLGVxDVtGiMumz9NUak userName@machineName
The key's randomart image is:
+---[RSA 2048]----+
|  ...oOOo=*o     |
|  .o.*+@o ..     |
| ..o= & o        |
| .++ E =         |
|.o=   = S        |
|.=   . . o       |
|  o o   . .      |
|   o .   .       |
|    .            |

Don’t forget to add it to the ssh-agent: if you generated this in the default location ending .ssh/id_rsa(.pub) you can use just ssh-add without any parameters to add it

You’ll need to add the public key to whichever remote service you are using – this can be found using either ssh-add -L (if you’ve added it to the Windows10 OpenSSH ssh-agent) or by cat ~/.ssh/ (the .pub files are “safe for distribution” – but keep the ones without the .pub extension safe!)

OpenSSH Key-gen additional settings

There are plenty of of pages on the internet detailing the various settings the normal Linux/Unix/MacOS ssh-keygen command takes (and the Windows10 Open SSH variant will take most of them), but a quick reference is:

ssh-keygen -o -c
To add a comment (helps identify keys
ssh-keygen -o -b 4096
To generate a 4096 bit key in the default format (currently rsa)
ssh-keygen -o -t ed25519 -a 100 – recommended!
To generate with the ed25519 complexity with 100 rounds of key derivations (may not be supported by all servers).
The key will end in .ssh/id_ed25519, but you can just add it with “ssh-add” as above as it takes into account all the endings.
ssh-keygen -o -t rsa -b 4096 -a 100
To generate an rsa (default) key with 4096 bits and 100 rounds of key derivations
Windows does supports key generation types of “dsa” which is insecure and “esdsa” which has known weaknesses )

This post is over 6 months old.

This means that, despite my best intentions, it may no longer be accurate.

This blog holds over 12 years of archived content - during that time, I may have changed my opinion of something, technology will have advanced (and old "best standards" may no longer be the case), my technology "know how" has improved etc etc - it would probably take me a considerable amount of time to update all the archival entries: and defeat the point of keeping them anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey and "caveat emptor".

Leave a Reply

%d bloggers like this: