Skip to content
Latchkey

ssh-keygen -l: Show a Key Fingerprint

ssh-keygen -l prints the fingerprint and size of a key so you can verify which key a file holds.

When a deploy fails on the wrong key, the fingerprint tells you which key is which. It also lets you confirm a host key matches what the provider published.

What it does

ssh-keygen -l reads a key file and prints its bit length, fingerprint, comment, and type. -f names the file; -E selects the hash (sha256 by default, md5 for legacy colon-hex fingerprints). It works on private keys, public keys, and known_hosts entries.

Common usage

Terminal
ssh-keygen -l -f ./deploy_key.pub
ssh-keygen -lf ./deploy_key            # works on the private key too
# legacy MD5 colon-hex format
ssh-keygen -l -E md5 -f ./deploy_key.pub

Options

FlagWhat it does
-lShow the fingerprint of the key
-f <file>Key or known_hosts file to read
-E sha256|md5Fingerprint hash format
-vAlso print an ASCII-art randomart image

In CI

Compare the fingerprint of the key you loaded against the one registered on the server or in GitHub to catch a wrong or corrupted secret early. To check a host's key matches the provider's published value, run ssh-keygen -lf on the known_hosts entry you scanned.

Common errors in CI

"is not a public key file" means you pointed -f at the wrong file or a corrupted key. A fingerprint that differs from the expected one means the CI secret holds a different or truncated key. SHA256 and MD5 fingerprints look completely different; compare the same -E format on both sides.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →