ToolBelt

SSH Key Generator

Generate RSA or Ed25519 SSH key material for testing.

Open tool

Overview

The SSH key generator produces an RSA or Ed25519 key pair in OpenSSH format. Pick a type, set an optional comment, and the tool returns both the private key (-----BEGIN OPENSSH PRIVATE KEY-----) and the matching public key (ssh-rsa AAAA... or ssh-ed25519 AAAA...) ready to drop into ~/.ssh/authorized_keys.

It is built for engineers spinning up a throwaway SSH key for a lab VM, integration tests that need a known key pair, or CI configurations where committing a static dev key into the repo is the path of least resistance. Production SSH keys still belong on a YubiKey or in ssh-agent with strong passphrase protection.

How it works

OpenSSH keys are encoded in a SSH-specific format described in PROTOCOL.key. The public key is <algorithm> <base64-blob> <comment>, where the base64 blob is a length-prefixed concatenation of the algorithm name and the key parameters (modulus and exponent for RSA, the 32-byte public point for Ed25519). The private key is wrapped in the OpenSSH "new" format introduced in 2014: a magic string openssh-key-v1, encryption metadata, the private-key payload, and an optional pass-phrase-protected bcrypt_pbkdf derived key. The whole binary blob is base64-encoded and PEM-wrapped.

For RSA, the tool generates a fresh prime pair as in the RSA generator; for Ed25519, it generates a 32-byte seed via the browser's CSPRNG and computes the public point via the curve25519 base-point multiplication.

Examples

Type:    Ed25519
Comment: ci@build-server
Output:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2lvZmVxcml... ci@build-server

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAA...
-----END OPENSSH PRIVATE KEY-----

Type:    RSA 4096
Comment: lab-jumphost
Output:  ssh-rsa AAAA... lab-jumphost  +  PEM private key (~3.4 KB)

Type:    Ed25519
Comment: ""
Output:  public + private without trailing comment

FAQ

Ed25519 or RSA?

Ed25519 for new keys: shorter, faster, no parameter choices to get wrong. RSA only when you must support an old server that does not understand Ed25519 — those are rare in 2026.

Is the private key encrypted?

By default, no. To add a passphrase, run ssh-keygen -p -f keyfile after dropping the key on disk. The OpenSSH format encrypts with bcrypt_pbkdf using AES-256-CTR.

How do I install it on a server?

Append the public key (the single ssh-ed25519 AAAA... comment line) to the target user's ~/.ssh/authorized_keys. Make sure the file is mode 600 and the .ssh directory is mode 700.

Is browser-side key generation safe?

For dev keys, yes — the CSPRNG is cryptographically sound and nothing leaves your browser. For production keys protecting real infrastructure, generate them in a dedicated machine you trust (ideally hardware-backed) and never paste them into a web tool.

Try SSH Key Generator

An unhandled error has occurred. Reload ×