Pareto Security
Pareto Security
Pricing Contact
Start for Free

Existing customer? Login

SSH keys require a password

Time to fix

< 1m

What

SSH keys should be protected with a passphrase to prevent unauthorized use if your system is compromised. A passphrase-protected key adds an additional layer of security that makes it much harder for attackers to use stolen keys.

Why SSH keys need passphrases

If someone gains access to your private SSH key file without a passphrase, they can immediately use it to access any systems that trust that key. A passphrase ensures that even if the key file is stolen, it cannot be used without additional authentication.

Convenience vs Security

While passphrases add a step to SSH authentication, SSH agents can cache the passphrase for your session, so you only need to enter it once per login or wake from sleep.

Check existing SSH keys

List your SSH keys:

ls -la ~/.ssh/

Check if keys have passphrases (this will prompt for passphrase if one exists):

ssh-keygen -y -f ~/.ssh/id_rsa
ssh-keygen -y -f ~/.ssh/id_ed25519
ssh-keygen -y -f ~/.ssh/id_ecdsa

If no passphrase prompt appears, the key is unprotected.

How to add passphrases to existing keys

Add a passphrase to an existing unprotected key:

ssh-keygen -p -f ~/.ssh/id_rsa

Replace id_rsa with your actual key filename.

You'll be prompted to:

  1. Enter the old passphrase (press Enter if there was none)
  2. Enter a new passphrase
  3. Confirm the new passphrase

Creating new SSH keys with passphrases

Generate a new SSH key with a passphrase:

# Ed25519 (recommended)
ssh-keygen -t ed25519 -C "[email protected]"

# RSA (if Ed25519 not supported)
ssh-keygen -t rsa -b 4096 -C "[email protected]"

Using SSH agent for convenience

Add your key to SSH agent to avoid repeated passphrase entry:

# Start SSH agent (usually automatic on most distributions)
eval "$(ssh-agent -s)"

# Add your key
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_ed25519

Hardware security keys

For maximum security, consider using hardware security keys:

# Generate key on hardware token (requires YubiKey or similar)
ssh-keygen -t ecdsa-sk -C "[email protected]"
ssh-keygen -t ed25519-sk -C "[email protected]"
Best Practices
  • Use strong, memorable passphrases (consider using a passphrase generator)
  • Keep your private keys in ~/.ssh/ with 600 permissions
  • Never share your private key files
  • Regularly rotate your SSH keys (at least annually)
  • Use different keys for different purposes/servers
Backup and Recovery

Store your SSH key passphrases securely in your password manager. If you lose the passphrase, you'll need to generate new keys and update all systems that use the old keys.