Protect Your SSH Key with a Passphrase

TL;DR

You can’t directly *add* a password to an existing private key. Instead, you need to change the key by adding a passphrase when creating it or converting it to a new format that supports passphrases. This guide shows you how.

How to Add a Passphrase to Your SSH Key

1. Understand the Difference: A private key itself doesn’t have a password. It’s encrypted with a passphrase, which is what protects it.
2. Check if your key already has a passphrase: Use this command:

   ssh-keygen -l -f ~/.ssh/id_rsa

   If the output shows ‘No passphrase’, you need to add one. If it *does* show a passphrase, you don’t need to follow these steps – your key is already protected!

3. Convert Your Key (Recommended): This creates a new key with a passphrase while keeping your original safe.
   • Use ssh-keygen with the `-p` option. Replace ‘id_rsa’ with your actual private key filename:

     ssh-keygen -p -f ~/.ssh/id_rsa

   • You will be prompted to enter your *old* passphrase (if you have one). If you don’t, just press Enter.
   • Then, you’ll be asked to enter a *new* passphrase twice for confirmation. Choose a strong, memorable passphrase!
4. Create a New Key (Alternative): If you prefer a completely new key file:
   • Generate a new key pair with ssh-keygen and specify a filename:

     ssh-keygen -t rsa -b 4096 -f ~/.ssh/new_id_rsa

   • You will be prompted to enter a passphrase twice. This is the passphrase that will protect your new key.
5. Update Your SSH Config (Important): If you created a *new* key, you need to tell your computer and any servers where you use this key to use the new one.
   • Edit your ~/.ssh/config file. If it doesn’t exist, create it.
   • Add or modify an entry for the server:

     Host example.com
       HostName example.com
       User your_username
       IdentityFile ~/.ssh/new_id_rsa

     Replace ‘example.com’, ‘your_username’ and ‘~/.ssh/new_id_rsa’ with the correct values.

6. Test Your Connection: Try connecting to your server using SSH:

   ssh example.com

   You should be prompted for your *new* passphrase. If it works, you’ve successfully added a passphrase!

Important Security Notes

• Strong Passphrase: Use a long and complex passphrase – at least 16 characters with a mix of uppercase letters, lowercase letters, numbers, and symbols.
• Passphrase Agent: Consider using an SSH agent (like `ssh-agent`) to avoid entering your passphrase every time you connect.
• Key Permissions: Ensure your private key file has the correct permissions: chmod 600 ~/.ssh/id_rsa or chmod 600 ~/.ssh/new_id_rsa. This prevents others from reading it.