ssh-keygen -N: Passphrase-Free Keys for CI
ssh-keygen -N "" generates (or rewrites) a key without a passphrase so it can be used non-interactively.
CI cannot type a passphrase, so deploy keys are usually passphrase-free and protected instead by secret storage and file permissions. -N sets this at generation; -p changes it later.
What it does
The -N flag sets the passphrase when generating a key; an empty string means none. To change an existing key's passphrase non-interactively, use -p with -N (new) and -P (old). A passphrase-free key needs no agent to use.
Common usage
# generate with no passphrase
ssh-keygen -t ed25519 -f ./deploy_key -N ""
# remove a passphrase from an existing key
ssh-keygen -p -f ./deploy_key -P "oldpass" -N ""Options
| Flag | What it does |
|---|---|
| -N <phrase> | New passphrase ("" for none) |
| -P <phrase> | Old passphrase (with -p) |
| -p | Change the passphrase of an existing key |
| -f <file> | Key file to create or modify |
In CI
A passphrase-free deploy key is standard practice; store it as a masked CI secret and write it to a file at mode 600. If policy requires a passphrase, load the key into ssh-agent with ssh-add once per job instead, so commands need no prompt.
Common errors in CI
If a key has a passphrase and BatchMode is on, ssh fails with "Permission denied" because it cannot prompt. ssh-keygen -p with a wrong -P prints "Bad passphrase." A passphrase-protected key used without an agent makes ssh hang on "Enter passphrase for key"; remove the passphrase or use an agent.