This article is the fourth of a series I’ve written about migrating from using PuTTy on Windows to using the native OpenSSH client now available on Windows 10: you can read the rest of the articles via:
- Installation
- Storing keys using the SSH Agent
- Importing existing keys
- Creating a new public/private key pair < You are here
- Other useful OpenSSH commands
- Configuring Windows Git
If you need a new SSH key pair for Github, Bitbucket, AWS, your own SSH server etc, then the easiest way to generate one is from your user’s PowerShell using the command:
ssh-keygen -o
(the -o argument indicates to use the newer OpenSSH format rather than the pre-2014 older PEM format)
This will produce output such as:
ssh-keygen -o Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\userName/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in C:\Users\userName/.ssh/id_rsa. Your public key has been saved in C:\Users\userName/.ssh/id_rsa.pub. The key fingerprint is: SHA256:9hLEuBRdTBGDmAWxaDXhSwvqYLGVxDVtGiMumz9NUak userName@machineName The key's randomart image is: +---[RSA 2048]----+ | ...oOOo=*o | | .o.*+@o .. | | ..o= & o | | .++ E = | |.o= = S | |.= . . o | | o o . . | | o . . | | . | +----[SHA256]-----+
Don’t forget to add it to the ssh-agent: if you generated this in the default location ending .ssh/id_rsa(.pub) you can use just ssh-add
without any parameters to add it
You’ll need to add the public key to whichever remote service you are using – this can be found using either ssh-add -L
(if you’ve added it to the Windows10 OpenSSH ssh-agent) or by cat ~/.ssh/id_rsa.pub
(the .pub
files are “safe for distribution” – but keep the ones without the .pub extension safe!)
OpenSSH Key-gen additional settings
There are plenty of of pages on the internet detailing the various settings the normal Linux/Unix/MacOS ssh-keygen command takes (and the Windows10 Open SSH variant will take most of them), but a quick reference is:
ssh-keygen -o -c
- To add a comment (helps identify keys
ssh-keygen -o -b 4096
- To generate a 4096 bit key in the default format (currently rsa)
ssh-keygen -o -t ed25519 -a 100
– recommended!- To generate with the ed25519 complexity with 100 rounds of key derivations (may not be supported by all servers).
The key will end in .ssh/id_ed25519, but you can just add it with “ssh-add” as above as it takes into account all the endings. ssh-keygen -o -t rsa -b 4096 -a 100
- To generate an rsa (default) key with 4096 bits and 100 rounds of key derivations
Windows does supports key generation types of “dsa” which is insecure and “esdsa” which has known weaknesses )