Every SSH key pair consists of mathematically linked private and public components. The private key must remain secure, while the public key can be freely distributed. The relationship between them allows for secure authentication.
Common scenarios include:
- Accidentally deleting the public key file
- Migrating servers without transferring the public key
- Recovering from backup that only included private keys
- Verifying key pair integrity
For RSA keys (default SSH key type):
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pubFor Ed25519 keys (modern alternative):
ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pubLet's break down what happens when you run these commands:
-y: Tells ssh-keygen to output the public key-f: Specifies the private key file path- The
>redirects output to your desired public key file
After regeneration, verify the keys match:
ssh-keygen -l -f ~/.ssh/id_rsa
ssh-keygen -l -f ~/.ssh/id_rsa.pubBoth commands should output identical fingerprints.
If your key is loaded in ssh-agent:
ssh-add -L | grep "your-key-comment" > ~/.ssh/recovered.pubAlways:
- Protect private key file permissions (600)
- Never share private keys
- Consider key rotation if you suspect any compromise
Recovering a lost GitHub deployment key:
# Extract public key
ssh-keygen -y -f ~/.ssh/github_deploy_key > ~/.ssh/github_deploy_key.pub
# Verify fingerprint matches GitHub's records
ssh-keygen -l -f ~/.ssh/github_deploy_key.pub
# Add to GitHub
cat ~/.ssh/github_deploy_key.pub | pbcopyCommon issues and fixes:
| Error | Solution |
|---|---|
| "invalid format" | Ensure private key is unencrypted or provide passphrase |
| permission denied | Run chmod 600 on private key |
| no such file | Verify path and filename |
SSH keys are a fundamental part of secure authentication in modern development workflows. A typical SSH key pair consists of:
- A private key (kept secret)
- A public key (shared with servers)
While it's common practice to store both keys together, situations arise where you might lose the public key while still having access to the private key.
All major SSH implementations include tools to extract the public key from a private key. Here's how to do it with OpenSSH:
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pubThis command:
-y: Tells ssh-keygen to output the public key-f: Specifies the private key file- The output is redirected to create a new public key file
The approach varies slightly depending on your key type:
For RSA Keys
ssh-keygen -y -f id_rsa > id_rsa.pubFor ED25519 Keys
ssh-keygen -y -f id_ed25519 > id_ed25519.pubFor ECDSA Keys
ssh-keygen -y -f id_ecdsa > id_ecdsa.pubAfter generating your public key, verify it matches the private key:
ssh-keygen -l -f ~/.ssh/id_rsa.pubCompare the fingerprint with:
ssh-keygen -l -f ~/.ssh/id_rsaFor frequent use, consider creating a shell function:
function ssh-regen-pub() {
if [ -z "$1" ]; then
echo "Usage: ssh-regen-pub /path/to/private_key"
return 1
fi
ssh-keygen -y -f "$1" > "${1}.pub"
echo "Public key regenerated at ${1}.pub"
}When working with SSH keys:
- Always protect your private key with strong permissions (600)
- Never share your private key
- Consider using a passphrase for additional security
- Regularly rotate your keys
Error: "invalid format"
This typically means your private key is corrupted or in an unexpected format. Try verifying it with:
ssh-keygen -l -f your_private_keyError: "Permissions are too open"
Fix your private key's permissions:
chmod 600 ~/.ssh/id_rsa