🔑 SSH Key Management Cheat Sheet: Creation, Re-Encryption, and Verification

🔑 SSH Key Management Cheat Sheet: Creation, Re-Encryption, and Verification

Managing SSH keys securely is a core requirement for any infrastructure team. Based on the documentation shown in image_6f2a0c.png, here is a quick guide on how to safely generate, convert, re-encrypt, and verify your keys.

1️⃣ Creating a Modern SSH Key#

When creating new keys, modern algorithms like Ed25519 are preferred over legacy RSA for their superior security profile and performance. Use this command to generate a key with strong key-derivation function loops and a custom comment:

Terminal window
ssh-keygen -t ed25519 -a 200 -o -C "your_email@example.com"

To connect using your specific identity key file:

Terminal window
ssh username@<remote_host_ip> -i /path/to/your/keyfile

2️⃣ Handling Key Security Options#

🔓 Option A: Convert to an Unencrypted OpenSSH Key#

If your credentials are saved in a secure secrets manager or vault that handles encryption at the storage layer, you can strip an existing passphrase by running:

Terminal window
ssh-keygen -p -N "" -f /path/to/your/keyfile

Note: The system will prompt you for the original passphrase to decrypt it first, then save it back as an unencrypted key.

🔒 Option B: Re-Encrypt with Modern Protection (AES-256)#

If you want to keep a passphrase on the key file itself but ensure it uses robust, modern protection (AES-256 with enhanced KDF hashing resistance), run:

Terminal window
ssh-keygen -p -o -a 100 -f /path/to/your/keyfile

3️⃣ Verifying If a Key Requires a Passphrase#

The most reliable, foolproof method to check if a private key is password-protected is to ask the SSH system to read the public key from it directly:

Terminal window
ssh-keygen -y -f /path/to/your/keyfile
License

CC BY-NC-SA 4.0 This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Related Posts