An SSH key passphrase encrypts the private key file on disk so that a stolen key file alone cannot be used for authentication. This guide covers setting, changing, and removing SSH key passphrases on Linux and Unix systems for Ed25519, RSA, and ECDSA key types.
What is an SSH Key Passphrase?
A passphrase is a password that protects your SSH private key. When you set a passphrase, the private key file is encrypted with a symmetric cipher derived from that passphrase. Even if someone copies your ~/.ssh/id_ed25519 file, they cannot use it without knowing the passphrase. Use at least 15-20 characters with a mix of words, numbers, and symbols.
Set a Passphrase on an Existing Key
If you generated a key without a passphrase (common for automation), you can add one later without regenerating the key:
ssh-keygen -p -f ~/.ssh/id_ed25519Since the key has no current passphrase, it goes straight to the new one:
$ ssh-keygen -p -f ~/.ssh/id_ed25519
Enter new passphrase (empty for no passphrase): <Enter passphrase>
Enter same passphrase again: <Retype passphrase>
Your identification has been saved with the new passphrase.For RSA keys, replace the path accordingly:
ssh-keygen -p -f ~/.ssh/id_rsaChange an Existing Passphrase
The same -p flag works for changing a passphrase. The command prompts for the old passphrase first, then the new one:
$ ssh-keygen -p -f ~/.ssh/id_ed25519
Enter old passphrase: <Enter old passphrase>
Enter new passphrase (empty for no passphrase): <Enter new passphrase>
Enter same passphrase again: <Retype new passphrase>
Your identification has been saved with the new passphrase.This works with any key type – Ed25519, RSA, or ECDSA. Only the private key file is modified; the public key and its fingerprint stay the same. Authorized keys on remote servers do not need updating.
Remove a Passphrase from a Key
To remove the passphrase entirely (for automation or CI/CD pipelines), enter the old passphrase when prompted and press Enter twice for the new passphrase (leaving it empty):
$ ssh-keygen -p -f ~/.ssh/id_ed25519
Enter old passphrase: <Enter current passphrase>
Enter new passphrase (empty for no passphrase): <Press Enter>
Enter same passphrase again: <Press Enter>
Your identification has been saved with the new passphrase.Only remove passphrases on keys used for automated processes (deployment scripts, backup jobs). Keys used for interactive login by humans should always have a passphrase.
Generate a New Key with a Passphrase
When generating a new SSH key, ssh-keygen prompts for a passphrase by default. Ed25519 is the recommended key type for modern systems:
$ ssh-keygen -t ed25519 -C "admin@myserver"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase): <Enter passphrase>
Enter same passphrase again: <Retype passphrase>
Your identification has been saved in /home/admin/.ssh/id_ed25519
Your public key has been saved in /home/admin/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:xK9a3bRqN7d5vM2pLzY8eTfWh6cU4jOiS1gA0kXn admin@myserverFor systems that require RSA compatibility, use 4096-bit minimum:
ssh-keygen -t rsa -b 4096 -C "admin@myserver"Verify the Passphrase Works
Test by copying your public key to a remote server and connecting:
ssh-copy-id [email protected]Then connect – you should be prompted for the key passphrase (not the server password):
$ ssh [email protected]
Enter passphrase for key '/home/admin/.ssh/id_ed25519':You can also verify by checking the key fingerprint:
$ ssh-keygen -lf ~/.ssh/id_ed25519
256 SHA256:xK9a3bRqN7d5vM2pLzY8eTfWh6cU4jOiS1gA0kXn admin@myserver (ED25519)Cache Passphrase with SSH Agent
Typing the passphrase on every connection is tedious. The SSH agent caches decrypted keys in memory so you enter the passphrase once per session:
# Start the SSH agent
eval $(ssh-agent)
# Add your key (prompts for passphrase once)
ssh-add ~/.ssh/id_ed25519
# Verify the key is loaded
ssh-add -lAll subsequent SSH connections using that key will not prompt for the passphrase until the agent is stopped or the key is removed.
Add a timeout so the key is automatically removed from the agent after a set period (in seconds):
# Cache for 1 hour (3600 seconds)
ssh-add -t 3600 ~/.ssh/id_ed25519To remove all cached keys:
ssh-add -DFor a complete SSH reference, see our SSH commands cheat sheet.
Check if a Key Has a Passphrase
To check whether a private key is passphrase-protected, try loading it with ssh-keygen:
ssh-keygen -y -f ~/.ssh/id_ed25519If it prompts for a passphrase, the key is protected. If it immediately prints the public key, there is no passphrase set.
Convert Key Format
Convert between OpenSSH and PEM formats. Some older tools and cloud providers require PEM format:
# Convert OpenSSH private key to PEM format
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
# Export the public key in PEM/PKCS8 format
ssh-keygen -e -m PKCS8 -f ~/.ssh/id_ed25519.pubConclusion
Managing SSH key passphrases is a core security practice. Always set a strong passphrase on keys used for interactive login, use the SSH agent to avoid retyping it, and remove passphrases only on keys dedicated to automated processes running in secure environments.
Related guides:
- SSH Commands Cheat Sheet for Linux SysAdmins
- Change SSH Port on RHEL 10 / Rocky Linux with SELinux
- Configure SSH Two-Factor Authentication on RHEL
- Disable SSH Reverse DNS Lookups in Linux/Unix
- Managing SSH Connections Using the SSH Config File
