---
title: "How to Generate SSH Keys and Set Up SSH Key Authentication"
description: "Secure Shell (SSH) access grants you command-line interface (CLI) access to your web server. SSH key authentication provides a secure, passwordless way to connect to your Linux VPS or dedicated..."
url: https://www.inmotionhosting.com/support/server/ssh/how-to-generate-ssh-keys/
date: 2026-04-15
modified: 2026-04-16
author: "Carrie Smaha"
categories: ["SSH and Root Access"]
type: post
lang: en
---

# How to Generate SSH Keys and Set Up SSH Key Authentication

[**Secure Shell (SSH)**](https://www.inmotionhosting.com/support/server/ssh/what-is-shell-access/) access grants you **command-line interface (CLI)** access to your web server. SSH key authentication provides a secure, passwordless way to connect to your [Linux VPS](/vps-hosting) or [dedicated server](/dedicated-servers). It replaces vulnerable password-based logins with a cryptographic key pair: a private key that stays on your local machine and a public key that resides on the server. This method eliminates brute-force attacks, enables secure automation, and is the recommended standard for all InMotion Hosting VPS and dedicated servers with root or sudo access.

This comprehensive guide combines the complete process of **generating SSH keys** across Windows, Linux, and macOS with **full server-side configuration** for key-based authentication. It is written for users with a Linux VPS (Ubuntu, AlmaLinux, Debian, or similar) running OpenSSH.

## How SSH Key Authentication Works

When you connect via SSH with key authentication, the server issues a cryptographic challenge. Your local machine uses the private key to respond, proving ownership without ever sending the key or a password over the network. If you protect the private key with a passphrase, that passphrase is only entered locally.

**Key advantages over passwords:**

- No password is transmitted or stored on the server.
- Immune to brute-force and dictionary attacks.
- Supports scripted/automated connections without exposing credentials.

## Prerequisites

Before starting:

- A [Linux VPS](/vps-hosting) or [Dedicated Server](/dedicated-servers) with root or sudo access.
- Initial SSH access using password authentication (you will disable this at the end).
- Local machine running Linux, macOS, or Windows 10/11 with OpenSSH client installed (native on macOS and modern Windows).
- Basic terminal familiarity.

**Note:** Shared or Reseller Hosting uses a [different SSH process](https://www.inmotionhosting.com/support/server/ssh/shared-reseller-ssh/#generate). This guide is for VPS/dedicated servers with full root access.

## Step 1: Generate an SSH Key Pair on Your Local Machine

Generate the key pair **on your local computer**, never on the server. The current best practice is to use the **Ed25519** algorithm (faster and more secure than RSA). For maximum compatibility with older systems, you may use RSA 4096-bit keys.

### Generating SSH Keys on Linux or macOS (Terminal)

1. Open your **Terminal** application.
2. Run the recommended command:

ssh-keygen -t ed25519 -C "your_identifier"

```
ssh-keygen -t ed25519 -C "your_identifier"
```

(Replace `your_identifier` with something descriptive like `work-laptop` or `admin@company.com`.)

1. When prompted for the file location, press **Enter** to accept the default (`~/.ssh/id_ed25519`).
2. Enter a strong passphrase (recommended) and confirm it.

**Alternative (RSA 4096-bit for legacy compatibility):**

ssh-keygen -t rsa -b 4096 -C "your_identifier"

```
ssh-keygen -t rsa -b 4096 -C "your_identifier"
```

After generation, set correct permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

```
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
```

### Generating SSH Keys on Windows with PowerShell (OpenSSH)

Windows 10/11 includes OpenSSH natively.

1. Open **PowerShell** as Administrator.
2. Run:

ssh-keygen -t ed25519 -C "your_identifier"

```
ssh-keygen -t ed25519 -C "your_identifier"
```

1. Accept the default file location by pressing **Enter**.
2. Enter and confirm a strong passphrase.
3. (Optional but recommended) Set correct permissions on the public key:

cd ~/.ssh
icacls id_ed25519.pub /inheritance:r
icacls id_ed25519.pub /grant:r "$env:USERNAME:(R)"

```
cd ~/.ssh
icacls id_ed25519.pub /inheritance:r
icacls id_ed25519.pub /grant:r "$env:USERNAME:(R)"
```

**Alternative (RSA 4096-bit):**

ssh-keygen -t rsa -b 4096 -C "your_identifier"

```
ssh-keygen -t rsa -b 4096 -C "your_identifier"
```

### Generating SSH Keys on Windows with PuTTY (Graphical Method)

For users who prefer a GUI:

1. Download and open **PuTTYgen**.
2. Select **Ed25519** (preferred) or **RSA** with **4096** bits.
3. Click **Generate** and move your mouse in the blank area to create randomness.
4. (Optional) Add a comment and a strong passphrase.
5. Click **Save private key** (`.ppk` file) and **Save public key**.
6. Copy the public key text from the top box for later use.

Save both files in `C:\Users\YourUsername\.ssh\`.

## Step 2: Copy the Public Key to Your Linux VPS

### Option A: Using ssh-copy-id (Linux/macOS – Recommended)

From your local machine:

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@your-server-ip

```
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@your-server-ip
```

(Replace `username` with `root` or your sudo user, and `your-server-ip` with the VPS IP.)

This command automatically creates `~/.ssh/authorized_keys`, sets permissions, and copies the key.

### Option B: Manual Copy (Windows or When ssh-copy-id Is Unavailable)

1. On your local machine, display the public key:

cat ~/.ssh/id_ed25519.pub

```
cat ~/.ssh/id_ed25519.pub
```

(Or open the `.pub` file and copy its entire contents.)

1. SSH into your server with your current password:

ssh username@your-server-ip

```
ssh username@your-server-ip
```

1. On the server, create the directory and file:

mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys

```
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys
```

1. Paste the public key on a single line and save/exit.
2. Set strict permissions (critical for security):

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

```
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
```

## Step 3: Test Key Authentication

Open a **new terminal** window (do not close your existing session) and test:

ssh -i ~/.ssh/id_ed25519 username@your-server-ip

```
ssh -i ~/.ssh/id_ed25519 username@your-server-ip
```

If successful, you will connect without a server password prompt (you may still be asked for your local key passphrase). Always test before proceeding to the next step.

## Step 4: Harden the SSH Configuration (Disable Password Authentication)

Once key authentication is confirmed:

1. On the server, edit the SSH daemon config:

sudo nano /etc/ssh/sshd_config

```
sudo nano /etc/ssh/sshd_config
```

1. Make the following changes (uncomment or add as needed):

PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

```
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
```

**Optional but recommended for extra security:**

Change the SSH port (reduces automated scanning):

Port 2222

```
Port 2222
```

Prevent direct root login (use a sudo user instead):

PermitRootLogin prohibit-password

```
PermitRootLogin prohibit-password
```

1. Save and exit.

## Step 5: Restart the SSH Service and Apply Changes

sudo systemctl restart sshd

```
sudo systemctl restart sshd
```

(On some distributions the service is named `ssh` instead of `sshd`.)

**If you changed the port:**

Update your firewall:

- **firewalld** (AlmaLinux/CentOS):

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

```
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload
```

- **UFW** (Ubuntu/Debian):

sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

```
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
```

Test the new connection immediately in a new terminal using the updated port if changed:

ssh -i ~/.ssh/id_ed25519 -p 2222 username@your-server-ip

```
ssh -i ~/.ssh/id_ed25519 -p 2222 username@your-server-ip
```

## Step 6: Manage Keys for Convenience (SSH Agent and Config File)

### Add Keys to the SSH Agent

To avoid entering your passphrase every time:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

```
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
```

On **macOS**, use:

ssh-add --apple-use-keychain ~/.ssh/id_ed25519

```
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
```

### Use an SSH Config File for Multiple Servers

Create or edit `~/.ssh/config` on your local machine:

nano ~/.ssh/config

```
nano ~/.ssh/config
```

Example:

Host production-vps
HostName your-server-ip
User yourusername
IdentityFile ~/.ssh/id_ed25519
Port 2222

Host staging-vps
HostName staging-ip
User deploy
IdentityFile ~/.ssh/id_ed25519_staging
Port 22

```
Host production-vps
    HostName your-server-ip
    User yourusername
    IdentityFile ~/.ssh/id_ed25519
    Port 2222

Host staging-vps
    HostName staging-ip
    User deploy
    IdentityFile ~/.ssh/id_ed25519_staging
    Port 22
```

Now connect simply with:

ssh production-vps

```
ssh production-vps
```

## Final Notes and Best Practices

- Never share your private key.
- Always use a strong passphrase on production keys.
- Back up your `~/.ssh` directory.
- InMotion Hosting VPS and Dedicated Server plans include full SSH key support from provisioning.

You have now replaced password authentication with secure SSH key pairs. Your Linux server is significantly more secure against automated attacks while remaining convenient to access. For any InMotion-specific server management questions, refer to your control panel or support documentation.
