SSH keys require a password

Check existing SSH keys

List your SSH keys:

ls -la ~/.ssh/

Check if keys have passphrases (this will prompt for passphrase if one exists):

ssh-keygen -y -f ~/.ssh/id_rsa
ssh-keygen -y -f ~/.ssh/id_ed25519
ssh-keygen -y -f ~/.ssh/id_ecdsa

If no passphrase prompt appears, the key is unprotected.

How to add passphrases to existing keys

Add a passphrase to an existing unprotected key:

ssh-keygen -p -f ~/.ssh/id_rsa

Replace id_rsa with your actual key filename.

You'll be prompted to:

Enter the old passphrase (press Enter if there was none)
Enter a new passphrase
Confirm the new passphrase

Creating new SSH keys with passphrases

Generate a new SSH key with a passphrase:

# Ed25519 (recommended)
ssh-keygen -t ed25519 -C "your_email@example.com"

# RSA (if Ed25519 not supported)
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Using SSH agent for convenience

Add your key to SSH agent to avoid repeated passphrase entry:

# Start SSH agent (usually automatic on most distributions)
eval "$(ssh-agent -s)"

# Add your key
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_ed25519

Hardware security keys

For maximum security, consider using hardware security keys:

# Generate key on hardware token (requires YubiKey or similar)
ssh-keygen -t ecdsa-sk -C "your_email@example.com"
ssh-keygen -t ed25519-sk -C "your_email@example.com"

Best Practices

Use strong, memorable passphrases (consider using a passphrase generator)
Keep your private keys in ~/.ssh/ with 600 permissions
Never share your private key files
Regularly rotate your SSH keys (at least annually)
Use different keys for different purposes/servers

Backup and Recovery

Store your SSH key passphrases securely in your password manager. If you lose the passphrase, you'll need to generate new keys and update all systems that use the old keys.