Understanding SSH Key Pairs

SSH uses something called public key cryptography, also known as *asymmetric cryptography*.1 It’s a type of security system that works with two different keys:

- A private key: This must always be kept secret. - A public key: This can be shared with others.

These two keys are created as a pair and work together.

Here’s how it works: - One person locks the message with the public key. - Only the matching private key can unlock it.

This means you can safely share the public key, and people can send you messages that only *you* can unlock using your private key.

In SSH, this key system is used in *both directions*: 1. The user (you) proves their identity to the server. 2. The server proves it is real to the user.

So there are two pairs of keys involved: - One key pair belongs to the server (called a host key). - One key pair belongs to the user (you).

Let’s look at each of the four keys.

This is your personal secret key. It is saved on your computer and should never be shared with anyone — not even with the server admin. This key proves you are really you when you connect to the server.

- You create the private key on your own computer using a tool like PuTTYgen. - It should be protected by a passphrase — which is like a very strong password.

1. The passphrase makes the key safer, so even if someone steals your private key file, they still can’t use it.
2. Make sure your passphrase is long and hard to guess (this is why it’s called a *passphrase*, not just a password).

There are different formats for private key files. If you’re using WinSCP, it uses the PuTTY format, which ends in `.ppk`.

🔒 Remember: Never share your private key. Keep it safe and protected.

This is the matching key to your private key. It’s created at the same time. Unlike the private key, this can be shared with others — it’s safe to send your public key to a server.

When you want to log into a server using SSH or SFTP: - The server needs your public key to recognize you. - You (the user) send the public key to the server admin. - The server stores your public key in a file called `~/.ssh/authorized_keys`.

This lets the server say: “Yes, this person’s private key matches the public key I have — they are allowed to connect.”

This system is called *public key authentication*. It lets you log in without entering your password every time, and it’s much more secure than using passwords.

This private key belongs to the server (not you).

- It’s created when the server is first set up. - It is stored in a protected folder on the server. - Only the server admin should have access to this key.

As a user, you do not need to worry about the host private key. You will never use or see it.

The server uses it to prove its identity to your computer, just like you use your private key to prove your identity to the server.

This is the public version of the server’s private key.

- It is safe for you (the user) to see and store. - It helps your computer verify that it is connecting to the correct server.

When you connect to a server for the first time, your SSH tool (like Git Bash, VS Code terminal, or WinSCP) will show you the server’s host public key. This is your chance to make sure the key is correct.

Usually: - You get this key from the server admin or website in advance. - You compare the key you see with the key you were given. - If it matches, you can save and trust the connection.

Once your system saves the host public key, it will automatically check it every time you connect again. If the key ever changes, your computer will show a warning — this could mean the server changed, or it might be a sign of a security issue (like someone trying to trick you).

So: - First connection: You approve the host public key. - Next connections: It’s auto-checked. - If it changes: You get a warning.

You can read more about this here: Host key FAQs and how to verify and accept a server key.

- SSH uses two key pairs: one for you (the user), and one for the server. - Each pair has a private key (kept secret) and a public key (can be shared). - Your private key stays on your computer, locked with a strong passphrase. - Your public key is given to the server so you can log in securely. - The server’s host key helps your computer know it’s connecting to the right server.

Always keep your private key safe. Never share it. If you’re not sure about a key, ask before you accept it.