Generate SSH Keys on Windows 10

1. Overview

SSH, the secure shell, is often used to access remote Linux systems. But its authentication mechanism, where a private local key is paired with a public remote key, is used to secure all kinds of online services, from GitHub and Launchpad to Linux running on Microsoft’s Azure cloud.

Generating these keys from Linux is easy, and thanks to Ubuntu on WSL, you can follow the same process from Windows 10. But even without Ubuntu, SSH keys can also be generated with the free and open source OpenSSH client built into Windows 10 or with PuTTY for Windows 8.1 and earlier.

Over the following few steps, we’ll guide you through the process of generating SSH keys using Ubuntu on WSL, OpenSSH, and PuTTY.

Requirements

All you need is a PC running Windows and one of the following installed:

If you don’t already have Ubuntu on WSL, take a look at our Install Ubuntu on WSL tutorial.

Originally authored by Graham Morrison.


2. Passphrase considerations

When creating the SSH key pair, as shown in the following steps, you can choose to either lock your private key with a passphrase or use no passphrase at all.

Adding a passphrase requires the same passphrase to be entered whenever the key pair is used. Not adding a passphrase removes this requirement. For this reason, creating a key pair without a passphrase is more convenient and potentially essential for certain scripts and automation tasks. But it’s also less secure.

If a third-party gains access to a private key without a passphrase they will be able to access all connections and services using the public key.

A good compromise between convenience and security is to generate a separate key pair for each service or connection you want to use, adding a passphrase only for critical services. If you suspect a key has been compromised, simply generate a new pair for that service and remove the less secure key.


3. Key generation with Ubuntu on WSL

Launch Ubuntu on WSL from the start menu and make sure SSH is installed by entering following command at the command prompt:

sudo apt install openssh-client

The key generation process is identical to the process on a native Linux or Ubuntu installation. With SSH installed, run the SSH key generator by typing the following:

ssh-keygen -t rsa

You will be asked two questions. The first asks where to save the key, and you can press return to accept the default value. The second question asks for the passphrase. As discussed, entering a passphrase will require you to use the same passphrase whenever the key is accessed.

However, the passphrase isn’t a requirement, and pressing return (twice) will generate a key pair without one. Consequently, you won’t be asked for a passphrase when using your key.

When the process has finished, the private key and the public key can be found in the ~/.ssh directory accessible from the Ubuntu terminal, or the following folder from Windows file manager:

\\wsl$\\Ubuntu\home\<username>\.ssh\


4. Key generation with OpenSSH

Recent versions of Windows 10 include the OpenSSH client by default, but if yours does not or you’re unsure, follow these steps:

Open Settings and then navigate to Apps > Apps and Features > Optional Features:

Scan this list to see if OpenSSH client is already installed. If not, at the top of the page select Add a feature, then, to install the OpenSSH client, locate OpenSSH Client and click Install

Once the installation completes, return to Apps > Apps and Features > Optional Features and you should see the OpenSSH component(s) listed:

You can optionally install the OpenSSH client using PowerShell, first launch ‘Windows PowerShell’ as an Administrator. To check the status of the OpenSSH client type the command:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Client*'

This should return:

Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

If OpenSSH client is listed as “NotPresent” you can install by typing:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

The command should return:

Path          :
Online        : True
RestartNeeded : False

Finally, to generate your keys, launch ‘Windows PowerShell’ as an Administrator, and type:

ssh-keygen


5. Key generation with Putty

To generate a key pair with the PuTTY key generator, simply run puttygen.exe and click the Generate button in the window that appears.

You will be asked to move the mouse and press keys to improve the random number generation at the heart of SSH security. After this, the raw contents of the public key will be displayed alongside its fingerprint and a timestamp comment.

Two important fields, Key passphrase and Confirm passphrase, allow you to enter a passphrase to protect the private key.

Finally, you will need to export both the private and public keys separately:

  • to export the private key, select Export OpenSSH key from the Conversions menu
  • to export the public key, click Save public key from the main window

Public keys typically use the .pub suffix. By convention, the private key is usually called id_rsa and the public key id_rsa.pub, but this isn’t a requirement. It’s common to have many keys with more descriptive filenames, for instance.

screenshot


6. Getting help