SSH Key Generator Command Builder

Custom-tailor Ed25519, RSA, and ECDSA ssh-keygen parameters. Your command assembles in real time - copy it straight to your terminal.

Parameters
Elliptic-curve. Fastest, most secure modern option. Recommended.
RSA: 4096-bit is the hardened default.
Higher rounds = slower passphrase cracking. Default 100 recommended.
Label for the key. Omit to skip the -C flag entirely.
Custom path only. Leave blank to use the OpenSSH default for the chosen algorithm.
bash -- axiomape ssh-keygen builder
# Generated Command - run this in your terminal 
$
# Next Step - copy your public key to a remote server 
$ ssh-copy-id -i ~/.ssh/id_ed25519.pub user@hostname
Replace user@hostname with your actual server credentials.
Key Terms Explained
SSH (Secure Shell)
A cryptographic network protocol for operating network services securely over an unsecured network. SSH authenticates users with key pairs instead of passwords, encrypts all traffic, and is the standard for remote server administration.
Ed25519
An elliptic-curve digital signature algorithm using Curve25519. It produces 256-bit keys that are compact, fast, and secure. Constant-time arithmetic makes it resistant to timing side-channel attacks. Recommended for all new SSH keys in 2025.
RSA
Rivest-Shamir-Adleman: the classic public-key algorithm based on integer factorization difficulty. Widely supported even on legacy systems. For SSH use, a minimum of 3072 bits is required; 4096 is the hardened default selected by this tool.
ECDSA
Elliptic Curve Digital Signature Algorithm. Smaller key sizes than RSA for equivalent security, but its security depends on the quality of the random number generator at signing time. Ed25519 is preferred over ECDSA for new keys.
Public / Private Key Pair
Two mathematically linked keys. The private key (id_ed25519) stays only on your machine. The public key (id_ed25519.pub) is placed on servers you want to reach. Data encrypted with one key can only be decrypted with the other - proving identity without transmitting a secret.
KDF Rounds (-a)
Key Derivation Function rounds. Controls how many iterations of the KDF are applied when deriving the encryption key from your passphrase. More rounds make the private key exponentially harder to brute-force if the file is stolen. Each extra round costs milliseconds to you but seconds to an attacker per guess.
ssh-copy-id
A helper utility that securely appends your .pub public key to a remote server's ~/.ssh/authorized_keys file. After running it once you can connect to that server with your private key and no password needed. It never touches your private key file.
ssh-agent
A background daemon that holds decrypted private keys in memory for your session. After unlocking your key once with ssh-add, the agent supplies the key material to SSH connections automatically - no repeated passphrase prompts - until you log out or clear the agent.
authorized_keys
A file on the remote server at ~/.ssh/authorized_keys listing public keys that are allowed to authenticate. Each line is one public key. When you connect, the server checks if your private key matches any public key in this file before granting access.
ed25519-sk
A variant of Ed25519 for hardware security keys (such as YubiKey or FIDO2 tokens). The private key is stored on the hardware device itself and never leaves it. Requires physical touch confirmation to sign, providing the strongest practical protection against key theft.

The Complete Guide to SSH Key Generation

SSH key authentication replaces the guessable, brute-forceable password login with a cryptographic challenge-response. Once you understand what each flag does, you will never use the defaults blindly again - and this tool builds the exact command you need.

How to Use This Tool

Select your algorithm in the Key Type dropdown. Ed25519 is the default and the right choice for almost every use case. If you need to access an old device or server that does not support elliptic-curve keys, choose RSA and the key size field will appear - set it to 4096.

Set KDF Rounds to a value between 64 and 256. The default of 100 rounds is a good balance: fast enough that unlocking the key is imperceptible, slow enough that an attacker with a stolen key file needs hours instead of seconds to crack a weak passphrase. Add a comment in the Comment field to label which machine this key lives on. The generated command updates instantly with every change - copy it and run it in your terminal when ready.

Understanding the ssh-keygen Flags

The -t flag sets the key type (the algorithm). The -b flag sets the key size in bits, which only applies to RSA and ECDSA - Ed25519 uses a fixed 256-bit curve and ignores this flag entirely. The -a flag controls KDF iteration count. The -C flag embeds a comment string at the end of your public key line, which is purely a label with no effect on security. The -f flag specifies the output file path - omitting it uses the algorithm-appropriate default (~/.ssh/id_ed25519 for Ed25519, ~/.ssh/id_rsa for RSA).

After Generating Your Key

Once ssh-keygen runs, you have two new files: the private key (no extension) and the public key (.pub). Use ssh-add ~/.ssh/id_ed25519 to load the private key into your ssh-agent so you only need to enter the passphrase once per session. Then use ssh-copy-id with your .pub file to install the public key on any server you want to access. The Next Steps command shown in the terminal above is pre-filled with your chosen file path.

Frequently Asked Questions

Why is Ed25519 recommended over RSA?
Ed25519 uses elliptic-curve cryptography on Curve25519. It produces smaller keys (256 bits) that are faster to generate, faster to sign, and faster to verify than RSA-4096, while providing equivalent or greater security. Ed25519 is also resistant to timing side-channel attacks by design because its arithmetic uses constant-time operations. RSA key security depends entirely on the difficulty of factoring very large integers - a problem that a sufficiently powerful quantum computer could solve. For new keys in 2025, Ed25519 is the clear choice unless your target server is so old it does not support it.
What does the KDF Rounds (-a) parameter do?
The -a flag controls how many rounds of the Key Derivation Function (KDF) are applied when encrypting your private key with a passphrase. A higher round count means more computation is required to derive the encryption key from your passphrase. This directly multiplies the cost of a brute-force attack against a stolen private key file. The default in most OpenSSH versions is 16. Setting it to 100 makes offline cracking attempts roughly 6 times more expensive. Setting it to 200 doubles that again. There is no downside except a tiny delay when you first unlock the key - the unlocking calculation only runs once per ssh-agent session.
Should I always use a passphrase for my SSH key?
Yes, in almost every scenario. A private key without a passphrase is like a password written on a plain text file - anyone who reads the file can impersonate you immediately. With a passphrase, even if an attacker steals your .ssh/id_ed25519 file, they cannot use it without also cracking the passphrase. In practice, the inconvenience of a passphrase is eliminated by ssh-agent, which holds the decrypted key in memory for your session so you only type the passphrase once. The only common legitimate exception is fully automated non-interactive deployments (CI pipelines, cron jobs) where no human is present to type a passphrase - and those keys should be heavily scope-restricted.
Why does this tool generate a command instead of the key itself?
Private keys must never touch a server. If this tool generated your private key in a browser, the key material would pass through JavaScript memory, potentially be logged by browser extensions, saved in browser history, or exposed through speculative-execution vulnerabilities. Generating the key locally on your own machine via ssh-keygen ensures the private key is created in a controlled environment you control and is written only to your local filesystem. This tool gives you the correctly assembled command - your terminal does the sensitive work.
What is ssh-copy-id and when do I use it?
ssh-copy-id is a utility that appends your SSH public key to the ~/.ssh/authorized_keys file on a remote server. You run it once after generating a key pair. After that, the remote server trusts connections authenticated with your matching private key and you no longer need a password to log in. The command reads your public key file (ending in .pub) - never the private key - and sends only that public value to the server over an authenticated SSH session. It is safe to share a public key freely.
What is the difference between a public key and a private key in SSH?
SSH uses asymmetric cryptography. ssh-keygen produces a matched pair: a private key (id_ed25519) and a public key (id_ed25519.pub). The private key stays on your local machine only - guard it like a password. The public key is installed on every server you want to access (in ~/.ssh/authorized_keys). When you connect, the server sends a challenge encrypted with your public key. Only your private key can decrypt and answer it correctly. An eavesdropper who sees your public key cannot derive your private key, so sharing the .pub file is always safe.