Understanding SSH Private Keys
What Is an SSH Private Key in Simple Terms
The private key is the master key to every server where your public key is installed. If someone gets your private key, they can impersonate you on every server you have access to. There is no revocation notification — the access is silent and immediate.
This is why the rule is absolute: the private key never leaves your device, never gets emailed, never gets committed to Git, never gets shared with a colleague.
How It Works
◈ DIAGRAM
SSH authentication using private key: +------------------------------------------+| Server: generates random challenge || Encrypts it with your public key || Sends encrypted challenge to client |+------------------------------------------+ | v+------------------------------------------+| Client: decrypts challenge || Uses private key (stays on your machine) || Sends proof of decryption to server |+------------------------------------------+ | v+------------------------------------------+| Server: verifies the proof || Only possible if client has private key || Access granted |+------------------------------------------+Private key file format and security:
◈ DIAGRAM
-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAA... <- base64 encoded key...many lines...-----END OPENSSH PRIVATE KEY----- Critical permissions: ~/.ssh/ chmod 700 (owner read/write/exec only) ~/.ssh/id_ed25519 chmod 600 (owner read/write only) SSH will refuse to use a key with wrong permissions: "Permissions 0644 for id_ed25519 are too open."Practical Commands
Bash
## Generate key with passphrase protectionssh-keygen -t ed25519 -C "rahul@devops.in"## Enter passphrase: (strong passphrase -- encrypts the key file)## A passphrase-protected key is encrypted on disk## Even if stolen, useless without the passphrase ## Check key permissions (must be 600)ls -la ~/.ssh/id_ed25519## -rw------- 1 rahul rahul 411 Jan 15 id_ed25519 ## Fix permissions if wrongchmod 600 ~/.ssh/id_ed25519chmod 700 ~/.ssh/ ## Use ssh-agent to avoid typing passphrase repeatedlyeval $(ssh-agent -s) ## start the agentssh-add ~/.ssh/id_ed25519 ## load key (prompts for passphrase once)ssh-add -l ## list loaded keys ## Use a specific key for a connectionssh -i ~/.ssh/id_ed25519 rahul@10.0.1.50 ## Configure in ~/.ssh/config (avoids specifying -i every time)cat ~/.ssh/config## Host mumbai-prod## HostName 10.0.1.50## User rahul## IdentityFile ~/.ssh/id_ed25519_prod## Port 22## Then just: ssh mumbai-prod ## What to do if private key is compromised## 1. Immediately remove the public key from all servers:grep -r 'compromised-key-fingerprint' ~/.ssh/authorized_keys## 2. Generate a new key pair## 3. Deploy new public key to all servers## 4. Verify old key is fully removedTroubleshooting
| Symptom | Command | What to Look For |
|---|---|---|
| Permission denied | chmod 600 ~/.ssh/id_ed25519 |
Key permissions too open |
| Agent not running | eval $(ssh-agent -s) |
Start the agent first |
| Wrong key used | ssh-add -l |
See which keys are loaded |
| Key format error | ssh-keygen -y -f id_ed25519 |
Validates key file integrity |
COMMON MISTAKE / WARNING**Security:** If a private key is ever accidentally committed to Git, treat it as compromised immediately — even if you delete it from Git history. Git history is distributed and the key may have been cloned. Generate a new key pair and remove the old public key from all servers before the exposure is exploited.
REMEMBER THIS**Remember:** Always protect private keys with a passphrase. A key without a passphrase is a plaintext credential on disk. If your laptop is stolen and your keys have no passphrase, every server they grant access to is immediately compromised.