Skip to content
Latchkey

ssh-keygen -y: Recover a Public Key

ssh-keygen -y reads a private key and prints the matching public key, so you can recreate the .pub when only the private key is stored.

CI secrets usually hold just the private key. -y regenerates the public half on the fly, which you need to populate authorized_keys or verify the pair.

What it does

ssh-keygen -y computes the public key from the private key supplied with -f and writes it to stdout in authorized_keys format. No network or passphrase prompt is needed for an unencrypted key; an encrypted key is read with -P.

Common usage

Terminal
# regenerate the public key from a private deploy key
ssh-keygen -y -f ./deploy_key > ./deploy_key.pub
# encrypted private key: supply the passphrase
ssh-keygen -y -P "pass" -f ./deploy_key

Options

FlagWhat it does
-yPrint the public key derived from the private key
-f <file>Private key file to read
-P <phrase>Passphrase for an encrypted key

In CI

Write the private key from a secret at mode 600, then run ssh-keygen -y to derive the .pub when a step needs it. The private key must have correct permissions first or ssh-keygen refuses to read it, the same rule that applies to ssh.

Common errors in CI

"Load key "./deploy_key": invalid format" means the private key body is corrupted or truncated, often a stripped trailing newline in the secret. "Permissions 0644 ... are too open" blocks the read; chmod 600 first. "incorrect passphrase supplied to decrypt private key" means a wrong -P on an encrypted key.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →