SSH public keys use Base64 encoding to represent binary data in ASCII format. The equal signs at the end serve as padding characters required by the Base64 standard. Here's a technical breakdown:
Original binary: [11010101 10101100 11110000]
Base64 encoded: "1azw"
Padded Base64: "1azw==" (with two padding characters)Base64 encodes every 3 bytes of binary data into 4 ASCII characters. When the input isn't divisible by 3:
- 1 byte remaining → 2 padding characters (==)
- 2 bytes remaining → 1 padding character (=)
- 0 bytes remaining → no padding needed
Here are three different cases you might encounter:
# Case 1: No padding (complete 3-byte blocks)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICJ+HqdLJE8uSuNjw2J3hBG7uJZ1JT6Stp/K4lD7qXrP
# Case 2: Single padding (2 bytes remainder)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZx8J9V5Dd5fBz7Zt9mZ9+G7e2vY3kZw==
# Case 3: Double padding (1 byte remainder)
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOQ=You can check if a key's padding is correct using OpenSSL:
echo "AAAAB3NzaC1yc2EAAAADAQABAAABAQDZx8J9V5Dd5fBz7Zt9mZ9+G7e2vY3kZw==" | base64 -d | hexdump
# Should produce valid binary output without errorsWhen processing SSH keys in code, remember to:
# Python example
import base64
def validate_ssh_pubkey(key):
try:
# Extract the Base64 portion between the second space and possible comment
b64_data = key.split()[1]
# Decode with padding check
binary_data = base64.b64decode(b64_data, validate=True)
return True
except (IndexError, ValueError):
return FalseThe padding characters don't affect security:
- They're ignored during cryptographic operations
- Removing them manually won't break key functionality
- Modern SSH implementations handle padding automatically
However, when copying keys, always maintain the exact Base64 string including any padding characters to ensure compatibility with all SSH implementations.
When examining SSH public keys in authorized_keys, you'll notice that most keys terminate with one or two equal signs (= or ==). This occurs because SSH public keys are encoded using Base64, which requires padding to complete 4-character blocks.
# Example showing different padding scenarios
ssh-rsa AAAAB3...QABAAABAQ== user@host # 2 padding chars (==)
ssh-ed25519 AAAAC3...QABAAAB user@host # 1 padding char (=)
ssh-ecdsa AAAAE2...QABAA user@host # No paddingThe Base64 algorithm converts binary data to ASCII by:
- Grouping binary input into 24-bit chunks (3 bytes)
- Splitting each chunk into four 6-bit segments
- Mapping these segments to 64 printable characters
Padding becomes necessary when the input isn't divisible by 3 bytes. Each = represents one missing byte in the final block:
Original bytes: [0x12, 0x34, 0x56, 0x78] (4 bytes)
Base64 process:
1. First chunk (3 bytes): 0x12 0x34 0x56 → "EjRW"
2. Remaining 1 byte → pad to 3 bytes: 0x78 0x00 0x00 → "eAAA"
Final output: "EjRWeAAA==" (2 padding chars for 1 original byte)The padding doesn't affect key functionality. Modern SSH implementations handle both padded and unpadded keys correctly. However, when manipulating keys programmatically:
# Python example: Removing/adding padding
import base64
def normalize_key(key):
# Ensure proper padding
return key + '=' * (-len(key) % 4)
# Example usage:
print(normalize_key("AAAAB3NzaC1yc2EAAAABIwAAAQEA9ZUwxXn2HZAAUswoaV8"))Different key types may show different padding patterns:
- RSA-4096 keys typically end with
== - ED25519 keys often have
= - Some ECDSA keys may have no padding
This variation stems from how the underlying cryptographic libraries implement the Base64 encoding of different key formats.