Free tool · Runs in your browser

SSH Key Generator

Generate an Ed25519 or RSA SSH key pair right in your browser with the Web Crypto API - your private key never leaves your device. Copy or download the keys, ready for any server.

Keys are generated entirely in your browser with the Web Crypto API. Your private key is never sent anywhere - no network request, no logging.

Key type
Usually your email or user@machine - helps you identify the key

Prefer the terminal? This is the equivalent command - and for production keys, generating locally with ssh-keygen or CtrlOps is the gold standard.

ssh-keygen command
$ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

What is an SSH key pair?

An SSH key pair is two linked files: a private key you keep secret on your machine, and a public key you place on the servers you want to reach. When you connect, the server checks that you hold the matching private key - so you log in securely without ever typing a password.

Key-based auth is both safer and more convenient than passwords, which is why it is the standard for managing Linux servers.

Ed25519 or RSA?

Use Ed25519 unless you have a reason not to - it is fast, the keys are tiny, and the security is excellent. Reach for RSA (3072 or 4096 bits) only when you must support an older server or tool that predates Ed25519. Avoid DSA and 1024-bit RSA entirely; they are considered weak.

How to use your new key

  1. Generate the pair above and download both files into your ~/.ssh directory.
  2. Lock down the permissions: chmod 600 ~/.ssh/id_ed25519 and chmod 700 ~/.ssh. SSH refuses keys that others can read - our chmod calculator explains why.
  3. Copy the public key to your server with ssh-copy-id user@host, or append it to ~/.ssh/authorized_keys there.
  4. Optionally add an alias in your SSH config so you can connect with a short name.

Is generating keys in the browser safe?

This tool runs entirely on your device using the browser's built-in Web Crypto API. The private key is created locally and is never transmitted, logged, or stored on any server. You can confirm this by generating a key with your network tab open - there is no request.

For the very highest assurance - production infrastructure, signing keys, anything long-lived - generating locally with ssh-keygen or inside CtrlOps remains the gold standard. This generator is ideal for learning, testing, and quick keys.

Which key type should you pick?

TypeNotes
Ed25519The modern default - compact, fast, and very secure. Recommended for all new keys.
RSA 3072 / 4096Broadly compatible, including older servers. Use 3072 bits or more; never 1024.
ECDSASmaller than RSA, but Ed25519 is generally preferred over the NIST curves.
DSAObsolete and disabled in modern OpenSSH. Do not use it.
SSH key FAQ

Frequently asked questions

This tool generates keys entirely client-side using the Web Crypto API - the private key is never sent over the network, logged, or stored anywhere. You can verify that with your browser network tab open. For maximum assurance on production or long-lived keys, generating locally with ssh-keygen or CtrlOps is still the gold standard.
Use Ed25519 for new keys - it is fast, compact, and very secure, and is supported by all modern systems. Choose RSA (3072 or 4096 bits) only when you need to connect to an older server or tool that does not support Ed25519. Avoid DSA and 1024-bit RSA, which are considered weak.
The easiest way is ssh-copy-id user@host, which appends your public key to ~/.ssh/authorized_keys on the server. You can also paste the public key into that file manually. Only ever copy the public key (the .pub file) to servers - never the private key.
Your private key should be chmod 600 (readable only by you), the ~/.ssh directory should be chmod 700, and the public key can be chmod 644. SSH will refuse to use a private key that other users can read. See our chmod calculator for the details.
Keys from this tool are generated without a passphrase. Add one locally with ssh-keygen -p -f ~/.ssh/id_ed25519 - it encrypts the private key at rest so a stolen key file is useless without the passphrase. An SSH agent can cache it so you only type it once per session.
By convention, in the ~/.ssh directory in your home folder. The default names are id_ed25519 and id_ed25519.pub for Ed25519, or id_rsa and id_rsa.pub for RSA. Create the ~/.ssh directory with chmod 700 if it does not already exist.
Stop scattering key files

Keep every key encrypted and in one place.

CtrlOps has a built-in SSH key management wizard - generate, store, and assign keys per server with AES-256 encryption at rest, all on your own machine. No more hunting for id_rsa across laptops.

Start instantly· No credit card· No sneaky autorenewals