DEV Community

Cover image for How to secure an existing SSH key with a passphrase
Christophe Colombier
Christophe Colombier

Posted on

How to secure an existing SSH key with a passphrase

I mentioned in a previous article why it's important to secure your ssh key with a passphrase

Securing a private SSH with a passphrase.

To add a passphrase to an existing SSH key, you can use the ssh-keygen command with the -p option.



ssh-keygen -p -f ~/.ssh/id_ed25519


Enter fullscreen mode Exit fullscreen mode

Replace "~/.ssh/id_ed25519" with the path to your SSH private key if it's different.

You'll be asked to enter a new passphrase. Type your desired passphrase and press Enter.

You'll need to confirm the new passphrase by entering it again when prompted.

Here is what it looks like



$ ssh-keygen -p -f ~/.ssh/id_ed25519
Enter new passphrase (empty for no passphrase): ******** + Enter
Enter same passphrase again:                    ******** + 


Enter fullscreen mode Exit fullscreen mode

This process updates the passphrase for your private SSH key without needing to generate a new key pair.

Consequences on your public key

None. Your public key won't change.

There is no need to update your ssh key on ssh servers, git config (if you are signing your commits), or on GitHub/GitLab account settings.

You only secured the way your private key is secured.

Consequences if you forget the passphrase

There is nothing you can do. It's similar to having a comprised or deleted key.

You will have to generate a new SSH key, the private and public key will be different.

How to change the passphrase of an SSH key

If you want to change the passphrase of an ssh key that has already one, simply launch the same command again.

So you will be prompted to enter the old passphrase if one exists, then you can choose a new one.



$ ssh-keygen -p -f ~/.ssh/id_ed25519
Enter old passphrase: ***** + Enter
Enter new passphrase (empty for no passphrase): ******** + Enter
Enter same passphrase again:                    ******** + Enter


Enter fullscreen mode Exit fullscreen mode

How to remove a passphrase from a SSH key

To remove the passphrase from an existing ssh key, you only have to use an empty passphrase for the new key.



$ ssh-keygen -p -f ~/.ssh/id_ed25519
Enter old passphrase: ***** + Enter
Enter new passphrase (empty for no passphrase): Enter
Enter same passphrase again:                    Enter


Enter fullscreen mode Exit fullscreen mode

Top comments (0)