To generate an SSH key you run one command: ssh-keygen -t ed25519, then press Enter to accept the default path and set a passphrase. That gives you two files, a private key you guard and a matching .pub you can hand to any server, GitHub or GitLab. ed25519 is the modern default in 2026; only fall back to RSA 4096 for ancient servers that have not heard of it yet. The exact same command works in the terminal on Linux and macOS and in PowerShell on Windows 10 and 11. Here's the command, what each prompt is really asking, how to copy the public key onto a server the easy way, and the passphrase question most people get wrong.
The short answer
Run ssh-keygen -t ed25519, accept the default path, and set a passphrase.
Keep the private key, share the .pub. Same command everywhere, and
ssh-copy-id user@host installs the public key on a server for you.
Step 1: run ssh-keygen
ssh-keygen -t ed25519 -C "you@example.com" The -C part is just a label baked into the key so you recognize it later; an
email or “laptop-2026” both work. On Windows, run the identical command in
PowerShell.
Step 2: answer the two prompts
It asks where to save the key: press Enter to accept ~/.ssh/id_ed25519,
unless you are juggling several keys and want a custom name. Then it asks for a
passphrase. Set one. It encrypts the private key, so the file alone is
useless to anyone who copies it. You type it once per session.
Step 3: copy the public key to a server
The easy way, on Linux and macOS:
ssh-copy-id user@host That appends your .pub to the server’s ~/.ssh/authorized_keys. No
ssh-copy-id (Windows, mostly)? Print the public key and paste it into that file
by hand:
cat ~/.ssh/id_ed25519.pub 
RSA, only if you have to
Hit a server too old for ed25519? Make an RSA key instead, and use 4096 bits, never the old 2048 default:
ssh-keygen -t rsa -b 4096 The passphrase question, honestly
People skip the passphrase because typing it feels like friction. It is not. An agent caches it after the first use, so day to day you never notice, and the payoff is that a leaked private key is just an encrypted blob. The only place I leave it empty is a throwaway key for automation that nothing important trusts.
Frequently asked questions
Which key type should I use, ed25519 or RSA?
Use ed25519. It is fast, the keys are tiny, and the security is excellent. The only reason to generate an RSA key with "ssh-keygen -t rsa -b 4096" is an old server or device that does not support ed25519 yet.
Should I set a passphrase on my SSH key?
Yes. A passphrase encrypts the private key on disk, so a stolen laptop does not hand over your servers with it. You type it once per session and an SSH agent remembers it. The one common exception is an unattended automation key, and even that is a trade-off worth thinking about.
How do I copy my public key to a server?
On Linux and macOS, "ssh-copy-id user@host" does it in one step. Anywhere else, append the contents of id_ed25519.pub to ~/.ssh/authorized_keys on the server. Never copy the private key (the file without .pub); that one never leaves your machine.
Where are the key files saved?
In the .ssh folder of your home directory: id_ed25519 (private) and id_ed25519.pub (public). That is ~/.ssh on Linux and macOS, and C:\Users\you\.ssh on Windows. The .pub file is the only one you ever share.