Several tools exist to generate SSH public/private key pairs. The following sections show how to generate an SSH key pair on UNIX, UNIX-like and Windows platforms.
Moving/Copying your PGP Keys. Once you're using PGP, you may want be able to sign email from more than location, or you may switch computers. There's a few ways to accomplish this. Copy All GnuPG Data. Your first choice is to copy all of your GnuPG data. This is a lot more data than just your key, but is still likely to be under 5MB.
Generating an SSH Key Pair on UNIX and UNIX-Like Platforms Using the ssh-keygen Utility
UNIX and UNIX-like platforms (including Solaris and Linux) include the ssh-keygen utility to generate SSH key pairs.
- Navigate to your home directory:
- Run the ssh-keygen utility, providing as
filenameyour choice of file name for the private key:The ssh-keygen utility prompts you for a passphrase for the private key.
- Enter a passphrase for the private key, or press Enter to create a private key without a passphrase:
Note:
While a passphrase is not required, you should specify one as a security measure to protect the private key from unauthorized use. When you specify a passphrase, a user must enter the passphrase every time the private key is used.
The ssh-keygen utility prompts you to enter the passphrase again.
- Enter the passphrase again, or press Enter again to continue creating a private key without a passphrase:
- The ssh-keygen utility displays a message indicating that the private key has been saved as
filenameand the public key has been saved asfilename.pub. It also displays information about the key fingerprint and randomart image.
Generating an SSH Key Pair on Windows Using the PuTTYgen Program
The PuTTYgen program is part of PuTTY, an open source networking client for the Windows platform.
- Download and install PuTTY or PuTTYgen.
To download PuTTY or PuTTYgen, go to http://www.putty.org/ and click the You can download PuTTY here link.
- Run the PuTTYgen program.
- Set the Type of key to generate option to SSH-2 RSA.
- In the Number of bits in a generated key box, enter 2048.
- Click Generate to generate a public/private key pair.
As the key is being generated, move the mouse around the blank area as directed.
- (Optional) Enter a passphrase for the private key in the Key passphrase box and reenter it in the Confirm passphrase box.
Note:
While a passphrase is not required, you should specify one as a security measure to protect the private key from unauthorized use. When you specify a passphrase, a user must enter the passphrase every time the private key is used.
- Click Save private key to save the private key to a file. To adhere to file-naming conventions, you should give the private key file an extension of
.ppk(PuTTY private key).Note:
The.ppkfile extension indicates that the private key is in PuTTY's proprietary format. You must use a key of this format when using PuTTY as your SSH client. It cannot be used with other SSH client tools. Refer to the PuTTY documentation to convert a private key in this format to a different format. - Select all of the characters in the Public key for pasting into OpenSSH authorized_keys file box.
Make sure you select all the characters, not just the ones you can see in the narrow window. If a scroll bar is next to the characters, you aren't seeing all the characters.
- Right-click somewhere in the selected text and select Copy from the menu.
- Open a text editor and paste the characters, just as you copied them. Start at the first character in the text editor, and do not insert any line breaks.
- Save the text file in the same folder where you saved the private key, using the
.pubextension to indicate that the file contains a public key. - If you or others are going to use an SSH client that requires the OpenSSH format for private keys (such as the
sshutility on Linux), export the private key:- On the Conversions menu, choose Export OpenSSH key.
- Save the private key in OpenSSH format in the same folder where you saved the private key in
.ppkformat, using an extension such as.opensshto indicate the file's content.
Key Generation Key Not Moving Lyrics
Once you're using PGP, you may want be able to sign email from more than location, or you may switch computers. There's a few ways to accomplish this.
Copy All GnuPG Data
Your first choice is to copy all of your GnuPG data. This is a lot more data than just your key, but is still likely to be under 5MB. This method will copy all of your keys, everyone's key you have, and your entire trust database. It's ideal for backup, or for moving to a new computer. Simply copy all the contents of your GnuPG data directory, which would be as follows:
- Windows: C:/Documents and Settings/username/application Data/GnuPG
- Unix/Linux/Mac: ~/.gnupg
Key Generation Key Not Moving Box
Where username is your windows username. Just simply copy the entire contents of that directory from one machine to the other and you will be set. There are many ways to move this data, which I won't cover. Some examples might be zipping the data up and copying it to a disk.
This will also work between different operating systems.
Copy Just Your Keys
Encryption Key Generation
However, you may not want to bring all that trust data and lots of keys with you. If you'd just like to copy your keys over, first export them (as usual, we assume gpg is in your path):
Where keyid is your PGP Key ID, such as A1E732BB. Take the the two files, securely copy them to the new machine (it is unadvisable to ftp them or use plain-text protocols because even thought your private key there is encrypted with your passphrase, your passphrase is still the weakest link, and you want to avoid exposure to your private key wherever possible). On the new machine:
Ensure that the Key ID printed is the correct one, and if so, then go ahead and add ultimate trust for it:
Type in the command trust and it will prompt you:
Because this is your key (and you should verify that it is your key by ensuring it's your name and email above), you should choose ultimate. You shouldn't trust anyone else's key ultimately. In fact, setting explicit trust like this is rarely done for keys other than your own. See the page on PGP trust for more info.
Anyway, after you type 5 and answer y to confirm, you'll be back at the command> prompt and you can type quit to exit.
That's it, you've now copied your key!