Generate Public/Private Key Pairs

calendarDec 12, 2024 · 5 min read · cryptography ssh rsa ed25519 ecc crypto-knowhow  ·
Share on: linkedincopy

Generate public/private key pairs on Linux for various cryptographic purposes.

SSH Keys (Ed25519 - Recommended)

 1# Generate Ed25519 key pair
 2ssh-keygen -t ed25519 -C "your_email@example.com"
 3
 4# Specify output file
 5ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_custom -C "comment"
 6
 7# Without passphrase (not recommended)
 8ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ed25519
 9
10# View public key
11cat ~/.ssh/id_ed25519.pub
12
13# View fingerprint
14ssh-keygen -lf ~/.ssh/id_ed25519.pub

SSH Keys (RSA)

 1# Generate RSA key pair (4096 bits)
 2ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
 3
 4# Generate RSA key pair (2048 bits - minimum)
 5ssh-keygen -t rsa -b 2048 -C "your_email@example.com"
 6
 7# Specify output file
 8ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_custom
 9
10# Convert to PEM format
11ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

SSH Keys (ECDSA)

1# Generate ECDSA key pair (256-bit)
2ssh-keygen -t ecdsa -b 256 -C "your_email@example.com"
3
4# Generate ECDSA key pair (384-bit)
5ssh-keygen -t ecdsa -b 384 -C "your_email@example.com"
6
7# Generate ECDSA key pair (521-bit)
8ssh-keygen -t ecdsa -b 521 -C "your_email@example.com"

OpenSSL RSA Keys

 1# Generate private key (2048-bit)
 2openssl genrsa -out private.pem 2048
 3
 4# Generate private key (4096-bit)
 5openssl genrsa -out private.pem 4096
 6
 7# Generate encrypted private key (AES-256)
 8openssl genrsa -aes256 -out private.pem 4096
 9
10# Extract public key
11openssl rsa -in private.pem -pubout -out public.pem
12
13# View private key
14openssl rsa -in private.pem -text -noout
15
16# View public key
17openssl rsa -pubin -in public.pem -text -noout
18
19# Remove passphrase from private key
20openssl rsa -in private.pem -out private_nopass.pem

OpenSSL ECC Keys

 1# List available curves
 2openssl ecparam -list_curves
 3
 4# Generate ECC private key (secp256r1 / prime256v1)
 5openssl ecparam -name prime256v1 -genkey -noout -out private.pem
 6
 7# Generate ECC private key (secp384r1)
 8openssl ecparam -name secp384r1 -genkey -noout -out private.pem
 9
10# Generate ECC private key (secp521r1)
11openssl ecparam -name secp521r1 -genkey -noout -out private.pem
12
13# Generate encrypted ECC private key
14openssl ecparam -name prime256v1 -genkey | openssl ec -aes256 -out private.pem
15
16# Extract public key
17openssl ec -in private.pem -pubout -out public.pem
18
19# View private key
20openssl ec -in private.pem -text -noout
21
22# View public key
23openssl ec -pubin -in public.pem -text -noout

OpenSSL Ed25519 Keys

 1# Generate Ed25519 private key
 2openssl genpkey -algorithm Ed25519 -out private.pem
 3
 4# Extract public key
 5openssl pkey -in private.pem -pubout -out public.pem
 6
 7# View private key
 8openssl pkey -in private.pem -text -noout
 9
10# View public key
11openssl pkey -pubin -in public.pem -text -noout

GPG/PGP Keys

 1# Generate GPG key (interactive)
 2gpg --full-generate-key
 3
 4# Generate GPG key (batch mode)
 5gpg --batch --generate-key <<EOF
 6Key-Type: RSA
 7Key-Length: 4096
 8Subkey-Type: RSA
 9Subkey-Length: 4096
10Name-Real: Your Name
11Name-Email: your_email@example.com
12Expire-Date: 2y
13Passphrase: your_passphrase
14%commit
15EOF
16
17# Generate Ed25519 key
18gpg --quick-generate-key "Your Name <email@example.com>" ed25519 default 2y
19
20# List keys
21gpg --list-keys
22gpg --list-secret-keys
23
24# Export public key
25gpg --export --armor your_email@example.com > public.asc
26
27# Export private key
28gpg --export-secret-keys --armor your_email@example.com > private.asc
29
30# Export key to file
31gpg --output public.gpg --export your_email@example.com
32gpg --output private.gpg --export-secret-keys your_email@example.com

Age Keys (Modern Alternative)

 1# Install age
 2sudo apt install age  # Debian/Ubuntu
 3brew install age      # macOS
 4
 5# Generate key pair
 6age-keygen -o key.txt
 7
 8# Output:
 9# Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
10# (private key stored in key.txt)
11
12# View public key
13age-keygen -y key.txt

Key Formats

PEM Format (Privacy-Enhanced Mail)

 1# RSA private key (PKCS#1)
 2-----BEGIN RSA PRIVATE KEY-----
 3...
 4-----END RSA PRIVATE KEY-----
 5
 6# RSA private key (PKCS#8)
 7-----BEGIN PRIVATE KEY-----
 8...
 9-----END PRIVATE KEY-----
10
11# Public key
12-----BEGIN PUBLIC KEY-----
13...
14-----END PUBLIC KEY-----

Convert Between Formats

 1# PKCS#1 to PKCS#8
 2openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt \
 3  -in private_pkcs1.pem -out private_pkcs8.pem
 4
 5# PKCS#8 to PKCS#1
 6openssl rsa -in private_pkcs8.pem -out private_pkcs1.pem
 7
 8# PEM to DER
 9openssl rsa -in private.pem -outform DER -out private.der
10
11# DER to PEM
12openssl rsa -in private.der -inform DER -out private.pem
13
14# SSH to PEM
15ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

Key Permissions

 1# Set correct permissions for private keys
 2chmod 600 ~/.ssh/id_ed25519
 3chmod 600 ~/.ssh/id_rsa
 4chmod 600 private.pem
 5
 6# Set correct permissions for public keys
 7chmod 644 ~/.ssh/id_ed25519.pub
 8chmod 644 ~/.ssh/id_rsa.pub
 9chmod 644 public.pem
10
11# SSH directory permissions
12chmod 700 ~/.ssh

Key Information

 1# SSH key fingerprint
 2ssh-keygen -lf ~/.ssh/id_ed25519.pub
 3ssh-keygen -lf ~/.ssh/id_rsa.pub
 4
 5# SSH key randomart
 6ssh-keygen -lvf ~/.ssh/id_ed25519.pub
 7
 8# OpenSSL key info
 9openssl rsa -in private.pem -text -noout
10openssl ec -in private.pem -text -noout
11openssl pkey -in private.pem -text -noout
12
13# GPG key fingerprint
14gpg --fingerprint your_email@example.com

Best Practices

  1. Key Type Selection:

    • ✅ Ed25519 (modern, fast, secure)
    • ✅ RSA 4096-bit (widely supported)
    • ⚠️ ECDSA (patent concerns)
    • ❌ RSA 2048-bit (minimum, not recommended)
    • ❌ DSA (deprecated)

  2. Passphrase:

    • Always use a strong passphrase
    • Use ssh-agent to avoid repeated entry
    • Consider using a password manager

  3. Key Storage:

    • Keep private keys secure (chmod 600)
    • Never share private keys
    • Backup keys securely
    • Use different keys for different purposes

  4. Key Rotation:

    • Rotate keys periodically (annually)
    • Revoke compromised keys immediately
    • Keep old keys for decryption only

Python Example

 1from cryptography.hazmat.primitives.asymmetric import rsa, ed25519, ec
 2from cryptography.hazmat.primitives import serialization
 3from cryptography.hazmat.backends import default_backend
 4
 5# Generate RSA key pair
 6private_key = rsa.generate_private_key(
 7    public_exponent=65537,
 8    key_size=4096,
 9    backend=default_backend()
10)
11
12# Serialize private key
13private_pem = private_key.private_bytes(
14    encoding=serialization.Encoding.PEM,
15    format=serialization.PrivateFormat.PKCS8,
16    encryption_algorithm=serialization.NoEncryption()
17)
18
19# Serialize public key
20public_key = private_key.public_key()
21public_pem = public_key.public_bytes(
22    encoding=serialization.Encoding.PEM,
23    format=serialization.PublicFormat.SubjectPublicKeyInfo
24)
25
26# Generate Ed25519 key pair
27ed_private_key = ed25519.Ed25519PrivateKey.generate()
28ed_public_key = ed_private_key.public_key()
29
30# Generate ECC key pair
31ec_private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
32ec_public_key = ec_private_key.public_key()

Related Snippets