ssh-keygen -y: Recover a Public Key
ssh-keygen -y reads a private key and prints the matching public key, so you can recreate the .pub when only the private key is stored.
CI secrets usually hold just the private key. -y regenerates the public half on the fly, which you need to populate authorized_keys or verify the pair.
What it does
ssh-keygen -y computes the public key from the private key supplied with -f and writes it to stdout in authorized_keys format. No network or passphrase prompt is needed for an unencrypted key; an encrypted key is read with -P.
Common usage
# regenerate the public key from a private deploy key
ssh-keygen -y -f ./deploy_key > ./deploy_key.pub
# encrypted private key: supply the passphrase
ssh-keygen -y -P "pass" -f ./deploy_keyOptions
| Flag | What it does |
|---|---|
| -y | Print the public key derived from the private key |
| -f <file> | Private key file to read |
| -P <phrase> | Passphrase for an encrypted key |
In CI
Write the private key from a secret at mode 600, then run ssh-keygen -y to derive the .pub when a step needs it. The private key must have correct permissions first or ssh-keygen refuses to read it, the same rule that applies to ssh.
Common errors in CI
"Load key "./deploy_key": invalid format" means the private key body is corrupted or truncated, often a stripped trailing newline in the secret. "Permissions 0644 ... are too open" blocks the read; chmod 600 first. "incorrect passphrase supplied to decrypt private key" means a wrong -P on an encrypted key.