Skip to content
Latchkey

ssh-keygen -N: Passphrase-Free Keys for CI

ssh-keygen -N "" generates (or rewrites) a key without a passphrase so it can be used non-interactively.

CI cannot type a passphrase, so deploy keys are usually passphrase-free and protected instead by secret storage and file permissions. -N sets this at generation; -p changes it later.

What it does

The -N flag sets the passphrase when generating a key; an empty string means none. To change an existing key's passphrase non-interactively, use -p with -N (new) and -P (old). A passphrase-free key needs no agent to use.

Common usage

Terminal
# generate with no passphrase
ssh-keygen -t ed25519 -f ./deploy_key -N ""
# remove a passphrase from an existing key
ssh-keygen -p -f ./deploy_key -P "oldpass" -N ""

Options

FlagWhat it does
-N <phrase>New passphrase ("" for none)
-P <phrase>Old passphrase (with -p)
-pChange the passphrase of an existing key
-f <file>Key file to create or modify

In CI

A passphrase-free deploy key is standard practice; store it as a masked CI secret and write it to a file at mode 600. If policy requires a passphrase, load the key into ssh-agent with ssh-add once per job instead, so commands need no prompt.

Common errors in CI

If a key has a passphrase and BatchMode is on, ssh fails with "Permission denied" because it cannot prompt. ssh-keygen -p with a wrong -P prints "Bad passphrase." A passphrase-protected key used without an agent makes ssh hang on "Enter passphrase for key"; remove the passphrase or use an agent.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →