How to Add/Modify Comment to an Existing SSH Public Key Pair


2 views

Comments in SSH public keys serve as identifiers, especially when managing multiple keys across different servers. The default comment is usually username@hostname from the generating machine, but you might want to change it to something more descriptive like prod-server-deploy-key or github-personal-account.

Method 1: Using ssh-keygen (Recommended)

ssh-keygen -c -f ~/.ssh/id_rsa -C "new-comment-here"

This command will:

  • -c: Request changing the comment
  • -f: Specify the key file (private key path)
  • -C: Provide the new comment

Example Workflow:

# Backup original key
cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bak
cp ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub.bak

# Change comment
ssh-keygen -c -f ~/.ssh/id_rsa -C "aws-ec2-admin-key"

Check the public key file to confirm the comment update:

cat ~/.ssh/id_rsa.pub

Example output showing the new comment:

ssh-rsa AAAAB3Nza... aws-ec2-admin-key

For advanced users who need precise control:

  1. Open the public key file (id_rsa.pub) in a text editor
  2. Locate the comment at the end of the line (after the base64 key)
  3. Replace the existing comment
  4. Save the file
  • Always back up your keys before modification
  • Changing comments doesn't affect cryptographic properties
  • Some legacy systems might validate the original comment
  • Update any authorized_keys files that reference the modified key

If you encounter invalid format errors:

# Ensure proper key file permissions
chmod 600 ~/.ssh/id_rsa

Every SSH public key contains three space-separated components:

ssh-rsa AAAAB3NzaC1yc2E... comment_text_here

The comment field (trailing text) is optional but useful for identifying key purposes like "prod_deploy_key" or "john@workstation". When generated via ssh-keygen, it defaults to username@hostname.

There are two primary methods to alter comments:

Method 1: Rebuild with ssh-keygen (Recommended)

The safest approach creates a new key pair while preserving cryptographic material:

ssh-keygen -f ~/.ssh/id_rsa -c -C "new_comment"
# For Ed25519 keys:
ssh-keygen -f ~/.ssh/id_ed25519 -c -C "gitlab_deploy_key"

This generates new public/private files with identical crypto parameters but updated comments.

Method 2: Manual Public Key Editing

For quick modifications (public key only):

# 1. Copy existing public key
cp ~/.ssh/id_rsa.pub ~/.ssh/id_rsa_new.pub
# 2. Edit comment field (last segment)
nano ~/.ssh/id_rsa_new.pub
# 3. Update authorized_keys if needed
cat ~/.ssh/id_rsa_new.pub >> ~/.ssh/authorized_keys

Important: Never modify private key files directly.

When changing comments on production keys:

  • Update all authorized_keys files
  • Notify team members about key changes
  • Consider gradual phase-out period

Confirm comment changes with:

ssh-keygen -l -f ~/.ssh/id_rsa.pub
# Sample output:
# 4096 SHA256:AbCd... comment_text_here (RSA)

Bash script for batch comment updates:

#!/bin/bash
OLD_KEY="$HOME/.ssh/id_ed25519"
NEW_COMMENT="ci_pipeline_$(date +%Y%m%d)"

ssh-keygen -f "$OLD_KEY" -c -C "$NEW_COMMENT" || exit 1
echo "Updated comment to: $NEW_COMMENT"
ssh-keygen -l -f "${OLD_KEY}.pub"