Ubuntu: How to create a public/private key pair

Introduction

In the world of cybersecurity, key pairs are fundamental for a variety of security tasks like authentication, encryption, and digital signatures. Public/private key pairs are widely used in systems to securely exchange data and verify identity. In this tutorial, we’ll explore how to create a public/private key pair on Ubuntu. This guide is designed for beginners and aims to take you through various levels of complexity, providing code examples and outputs where applicable.

Prerequisites

Before getting started, make sure you have access to a terminal on an Ubuntu machine, and you have sufficient privileges to perform operations that may require sudo access. Also, ensure that the SSH package is installed on your system. You can install it using the following command if it is not already installed:

sudo apt update && sudo apt install openssh-client

Generating the Basic Key Pair

To begin generating a key pair, open your terminal and type in the following command:

ssh-keygen -t rsa

After running the command, you will be prompted to enter a file in which to save the key. By default, this is ~/.ssh/id_rsa. You can just press Enter to use the default setting.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):

Next, you’ll have the option to enter a passphrase for an additional layer of security. This passphrase will be required each time the private key is used. If you prefer not to use a passphrase, you can simply press Enter.

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

After confirming the passphrase, the key generation process will complete, and you’ll receive a confirmation along with details about the key’s fingerprint, and a randomart image.

Choosing a Different Algorithm or Key Size

The ssh-keygen command provides options for generating keys with different cryptographic algorithms and key sizes. For example, to generate an Ed25519 key, which is known for its high performance and defense against certain cryptographic attacks, use:

ssh-keygen -t ed25519

Advanced Usage: You can specify the key size for RSA keys by adding the -b option followed by a number representing the bit length. A larger bit size generally means better security, but it also results in larger key files and can slow down the encryption process. For RSA, a good balance of security and performance is a 4096-bit key, which can be generated as follows:

ssh-keygen -t rsa -b 4096

Customizing Key Generation

You may also want to customize the comment field of the key pair or create a key pair without any interactive prompts. To accomplish this, use the -C option for the comment and the -N option for the passphrase, along with the -f option for the file name. Here’s how to create a key pair with a custom comment and without a passphrase:

ssh-keygen -t rsa -b 4096 -C "[email protected]" -N "" -f ~/.ssh/id_rsa_custom

Checking the Key Pair: You can check your public key by displaying the contents of the generated .pub file using cat ~/.ssh/id_rsa.pub, and the private key’s existence with ls ~/.ssh/id_rsa. Make sure never to share your private key; it should remain confidential.

Changing or Removing Passphrase

Should you wish to change or remove the passphrase of an existing key, you can do so using the -p option of ssh-keygen. The following command will prompt you to enter the old passphrase, then the new passphrase:

ssh-keygen -p -f ~/.ssh/id_rsa

To remove a passphrase completely, simply press Enter when asked for the new passphrase.

Exporting Keys and Converting Formats

If you need to convert your existing private key to another format, such as the PEM format required by some software, use the -m option as demonstrated below:

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

Export Public Key to Different Formats: To export your public key in a different format, use ssh-keygen with the -e option and specify the output format with -m. Below is an example of exporting to the PKCS8 format:

ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PKCS8

Restricting Key Usage

For a more controlled security environment, you might want to restrict what actions a key can perform. When generating the key, you can apply restrictions using the -O option:

ssh-keygen -t rsa -b 4096 -O "permitopen='hostname:port'" -f ~/.ssh/restricted_key

This command creates an RSA key with a restriction that only allows connections to a specified hostname and port, enhancing the security by limiting where the private key can be used.

Automating Key Generation

If you need to generate several key pairs say for automated setups or scripts without manual input, you can automate the process:

ssh-keygen -t rsa -b 4096 -C "script_generated" -N "" -f /path/to/generated_key <<
EOF

This will create a key with the specified criteria and output them to your chosen path with zero human interaction, which is especially beneficial in scripts or automation tools.

Secure Key Management

Once keys are generated, it’s crucial to manage them securely:

• Always keep your private key confidential and ensure it has appropriate file permissions. Use chmod 600 ~/.ssh/id_rsa to restrict access to the key file.
• Use ssh-agent and the ssh-add command to manage your keys responsibly.
• Delete any old or unused keys to prevent them from becoming a security vulnerability.
• Regularly update and rotate your keys to maintain a robust security posture.

Conclusion

This guide has demonstrated the process of creating public/private key pairs on Ubuntu. By following the steps provided, even beginners can confidently generate keys for secure communications. As always, key management is key to security, so handle your key pairs with care to prevent unauthorized access to your systems.