🔑 SSH Key Generator

Generate RSA and ECDSA key pairs in your browser. Nothing is sent to any server.

Key Type

Comment / Label

Free SSH Key Generator

Generate RSA and ECDSA SSH key pairs directly in your browser using the Web Crypto API. Choose from RSA-2048, RSA-4096, ECDSA P-256, or ECDSA P-384. Public keys are output in standard OpenSSH format, ready to paste into authorized_keys files or upload to services like GitHub, GitLab, and Bitbucket. Private keys are exported in PEM (PKCS#8) format. All cryptographic operations run entirely in your browser, so your private key never touches a network connection.

What is an SSH Key Generator?

SSH (Secure Shell) keys are cryptographic key pairs used to authenticate users and establish encrypted connections between computers. Unlike passwords, SSH keys use public-key cryptography: a public key is placed on the remote server, and the corresponding private key stays on your local machine. When you connect, the server challenges you to prove ownership of the private key without ever transmitting it, making the process both more secure and more convenient than password-based logins.

An SSH key generator creates these key pairs for you. Traditionally, you would use the command-line tool ssh-keygen on Linux or macOS, but this browser-based generator provides the same functionality without installing anything. It uses the Web Crypto API, the same cryptographic engine that powers TLS in your browser, to generate keys with proper randomness. The keys produced are compatible with OpenSSH servers, GitHub, GitLab, AWS, Azure, and any service that accepts standard SSH public keys.

This tool supports two families of algorithms. RSA is the most widely compatible algorithm and has been the default choice for decades. It works with virtually every SSH server and service. ECDSA (Elliptic Curve Digital Signature Algorithm) provides equivalent security with much smaller key sizes, resulting in faster authentication and smaller authorized_keys entries. ECDSA P-256 offers 128 bits of security in a compact key, while P-384 offers 192 bits for environments that require higher assurance.

How to Use This Tool

Select your desired key type from the four options: RSA-2048, RSA-4096, ECDSA P-256, or ECDSA P-384. RSA-2048 is sufficient for most use cases, while RSA-4096 provides extra margin for long-lived keys.
Optionally edit the comment field. This label is appended to the public key and helps you identify which key belongs to which machine or account. The default format is user@hostname.
Click "Generate Key Pair" and wait briefly while the browser creates your keys. RSA-4096 may take a moment longer than the other options due to the larger key size.
Copy or download both keys. Paste the public key into your server's ~/.ssh/authorized_keys file or upload it to your Git hosting service. Store the private key securely on your local machine with restricted permissions (chmod 600).

Key Features

Multiple Algorithms - Choose from RSA-2048, RSA-4096, ECDSA P-256, or ECDSA P-384 depending on your security and compatibility requirements.
OpenSSH Format Output - Public keys are generated in the standard OpenSSH format (ssh-rsa or ecdsa-sha2-nistp256/384) that servers and services expect.
One-Click Copy and Download - Copy keys to your clipboard or download them as files with a single click. Private keys download without a file extension for direct use.
SHA-256 Fingerprint - View the key fingerprint in the standard SHA256:base64 format, useful for verifying keys and auditing authorized_keys files.
Key Strength Meter - A visual indicator shows the theoretical security level of your chosen algorithm in bits, helping you make informed decisions.

Frequently Asked Questions

Should I choose RSA or ECDSA?

RSA is the most compatible option and works with virtually every SSH server and hosting platform. ECDSA keys are smaller and faster, making authentication slightly quicker. If your servers and services support it, ECDSA P-256 is a strong modern choice. If you need maximum compatibility with older systems, stick with RSA-2048 or RSA-4096.

Is it safe to generate SSH keys in a browser?

Yes, provided the tool runs entirely client-side. This generator uses the Web Crypto API, which draws from your operating system's cryptographic random number generator. The private key is created in your browser's memory and is never transmitted over the network. For maximum security, you can disconnect from the internet before generating, or verify the page source to confirm no outbound requests are made.

What is the difference between 2048-bit and 4096-bit RSA?

RSA-2048 provides approximately 112 bits of security, which is considered safe through 2030 and beyond by most standards bodies (NIST, BSI). RSA-4096 provides roughly 140 bits of security and is recommended for keys that will be in use for many years or in environments with elevated security requirements. The tradeoff is that 4096-bit keys are slower to generate and produce larger key files.

What is a key fingerprint?

A fingerprint is a short hash of the public key, displayed in the format SHA256:base64string. It serves as a compact identifier for the key and is used to verify that you are connecting to the correct server. When you first connect to an SSH server, your client shows the server's key fingerprint so you can confirm it matches a known good value.

Where do I put the public key?

On a Linux or macOS server, append the public key to the file ~/.ssh/authorized_keys. For cloud services like GitHub, GitLab, or Bitbucket, go to your account settings and add the key in the SSH Keys section. For AWS EC2 instances, you can import the public key through the EC2 console's Key Pairs page. The private key stays on your local machine in ~/.ssh/ with file permissions set to 600.