Skip to content
Latchkey

ssh-keygen: Generate ed25519 and RSA Keys

ssh-keygen generates an SSH key pair, writing the private key to a file and the public key to the same name with .pub.

Every SSH deploy starts with a key pair. ed25519 is the modern default; RSA at 4096 bits remains compatible everywhere. The flags below make generation fully non-interactive.

What it does

ssh-keygen creates a private/public key pair for the chosen algorithm. -t picks the type, -f names the output file, -C sets a comment, and -N sets the passphrase. The public key is written to <file>.pub.

Common usage

Terminal
# modern default: ed25519, no passphrase, named file
ssh-keygen -t ed25519 -C "deploy@ci" -f ./deploy_key -N ""
# RSA 4096 for maximum compatibility
ssh-keygen -t rsa -b 4096 -C "deploy@ci" -f ./deploy_key -N ""

Options

FlagWhat it does
-t <type>Key type: ed25519, rsa, ecdsa
-b <bits>Key size in bits (RSA: 4096; ignored for ed25519)
-C <comment>Comment appended to the public key
-f <file>Output filename (public key gets .pub)
-N <phrase>Passphrase ("" for none)
-qQuiet output

In CI

Always pass -f and -N "" so generation never prompts. ed25519 keys are short and fast and are supported by all current hosts; choose rsa -b 4096 only for legacy targets. The matching .pub goes into the server's authorized_keys.

Common errors in CI

Without -f, ssh-keygen prompts "Enter file in which to save the key" and hangs. "<file> already exists. Overwrite (y/n)?" hangs too if the file exists; remove it or write to a fresh path. "Saving key "<file>" failed: Permission denied" means the target directory is not writable; use a writable workspace path.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →