ToolBelt

SSH Key Inspector

Inspect any OpenSSH or PEM key — type, bit length, MD5 + SHA-256 fingerprints.

Open tool

Overview

The SSH key inspector reads any OpenSSH or PEM-formatted key — public or private, RSA, DSA, ECDSA, or Ed25519 — and surfaces its type, bit length, comment, and the canonical MD5 and SHA-256 fingerprints. Paste a one-line public key or a multi-line private key block and the tool extracts the metadata without exposing or storing the secret bytes.

It is the right tool for sysadmins auditing authorized_keys, security teams verifying that a deployed key matches what was issued, and developers untangling "which key is this?" when several land in their ~/.ssh folder. An SSH key fingerprint generator is also a quick way to confirm the value you see in your SSH client matches the one on a server.

How it works

OpenSSH public keys are space-separated algorithm base64-blob [comment]. The tool base64-decodes the blob, parses the length-prefixed fields per RFC 4253 §6.6, and identifies the algorithm by name (ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519, etc.) and bit length from the contained key parameters.

For private keys, the tool parses either the legacy PKCS#1/PKCS#8 PEM forms (RSA, DSA, ECDSA) or the OpenSSH new format (Ed25519 and modern RSA). It extracts the embedded public-key portion for fingerprinting without ever revealing private parameters.

Fingerprints follow the OpenSSH conventions: MD5 is MD5:xx:xx:xx:... (hex pairs colon-separated), the older legacy form; SHA-256 is SHA256:<base64-no-padding>, the modern default. Both are computed over the raw base64-decoded public-key blob.

Examples

Input:  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2lvZmVxcml... alice@laptop
Output:
  Type:        Ed25519
  Bits:        256
  Comment:     alice@laptop
  MD5:         MD5:4f:e5:0a:62:...:9c
  SHA-256:     SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8

Input:  ssh-rsa AAAAB3NzaC1yc2EAAAA... bob@server
Output:
  Type:        RSA
  Bits:        4096
  Comment:     bob@server
  SHA-256:     SHA256:...

Input:  -----BEGIN OPENSSH PRIVATE KEY----- ...
Output: Type Ed25519, public-half fingerprints, private parameters not displayed

FAQ

Why MD5 and SHA-256?

MD5 is what ssh-keygen returned by default until OpenSSH 6.8. SHA-256 has been the default ever since. Older logs, IDS rules, and Stack Overflow snippets still cite MD5 fingerprints, so the tool shows both for cross-checking.

Is the private key sent anywhere?

No. Parsing runs in your browser. The tool surfaces only the public-key fingerprint; private parameters never leave the page.

Why does my key show "RSA 2048" when I asked for 4096?

The bit length displayed is the modulus size, which is the canonical "key strength" measure for RSA. If you see 2048 where you expected 4096, the key really was generated at 2048 bits — check the original ssh-keygen command.

Does this validate the key cryptographically?

It parses the structure for well-formedness but does not check, for example, that an RSA modulus is the product of two primes. Validation in the cryptographic sense requires a private key and a verification operation.

Try SSH Key Inspector

An unhandled error has occurred. Reload ×