How to Add/Modify Comment to an Existing SSH Public Key Pair


12 views

Comments in SSH public keys serve as identifiers, especially when managing multiple keys across different servers. The default comment is usually username@hostname from the generating machine, but you might want to change it to something more descriptive like prod-server-deploy-key or github-personal-account.

Method 1: Using ssh-keygen (Recommended)

ssh-keygen -c -f ~/.ssh/id_rsa -C "new-comment-here"

This command will:

  • -c: Request changing the comment
  • -f: Specify the key file (private key path)
  • -C: Provide the new comment

Example Workflow:

# Backup original key
cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bak
cp ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub.bak

# Change comment
ssh-keygen -c -f ~/.ssh/id_rsa -C "aws-ec2-admin-key"

Check the public key file to confirm the comment update:

cat ~/.ssh/id_rsa.pub

Example output showing the new comment:

ssh-rsa AAAAB3Nza... aws-ec2-admin-key

For advanced users who need precise control:

  1. Open the public key file (id_rsa.pub) in a text editor
  2. Locate the comment at the end of the line (after the base64 key)
  3. Replace the existing comment
  4. Save the file
  • Always back up your keys before modification
  • Changing comments doesn't affect cryptographic properties
  • Some legacy systems might validate the original comment
  • Update any authorized_keys files that reference the modified key

If you encounter invalid format errors:

# Ensure proper key file permissions
chmod 600 ~/.ssh/id_rsa

Every SSH public key contains three space-separated components:

ssh-rsa AAAAB3NzaC1yc2E... comment_text_here

The comment field (trailing text) is optional but useful for identifying key purposes like "prod_deploy_key" or "john@workstation". When generated via ssh-keygen, it defaults to username@hostname.

There are two primary methods to alter comments:

Method 1: Rebuild with ssh-keygen (Recommended)

The safest approach creates a new key pair while preserving cryptographic material:

ssh-keygen -f ~/.ssh/id_rsa -c -C "new_comment"
# For Ed25519 keys:
ssh-keygen -f ~/.ssh/id_ed25519 -c -C "gitlab_deploy_key"

This generates new public/private files with identical crypto parameters but updated comments.

Method 2: Manual Public Key Editing

For quick modifications (public key only):

# 1. Copy existing public key
cp ~/.ssh/id_rsa.pub ~/.ssh/id_rsa_new.pub
# 2. Edit comment field (last segment)
nano ~/.ssh/id_rsa_new.pub
# 3. Update authorized_keys if needed
cat ~/.ssh/id_rsa_new.pub >> ~/.ssh/authorized_keys

Important: Never modify private key files directly.

When changing comments on production keys:

  • Update all authorized_keys files
  • Notify team members about key changes
  • Consider gradual phase-out period

Confirm comment changes with:

ssh-keygen -l -f ~/.ssh/id_rsa.pub
# Sample output:
# 4096 SHA256:AbCd... comment_text_here (RSA)

Bash script for batch comment updates:

#!/bin/bash
OLD_KEY="$HOME/.ssh/id_ed25519"
NEW_COMMENT="ci_pipeline_$(date +%Y%m%d)"

ssh-keygen -f "$OLD_KEY" -c -C "$NEW_COMMENT" || exit 1
echo "Updated comment to: $NEW_COMMENT"
ssh-keygen -l -f "${OLD_KEY}.pub"