Working with SSH key passphrases - giobim/Some-help-from-my-Friends GitHub Wiki

This article will walk you through the process of securing your SSH keys and configuring an authentication agent so that you won't have to re-enter your passphrase every time you use your keys.

Why do I need a passphrase?

Passwords aren't very secure. If you use one that's easy to remember, it's also easier to guess or brute-force (try many options until one works). If you use one that's random, it's hard to remember, and thus you're more inclined to write it down. Both of these are Very Bad Things.

This is why you're using SSH keys. Of course, using a key without a passphrase is basically the same as writing down a random password: anyone who gains access to your computer has gained access to every system you use that key with. This is also a Very Bad Thing. The solution is to add a passphrase to the SSH key for an extra layer of security. But I don't want to enter a long passphrase every time I use the key!

Neither do I! Thankfully, there's a nifty little tool called ssh-agent that can securely save your passphrase, so you don't have to re-enter it. If you're on OS X Leopard or later your keys can be saved in the system's keychain to make your life even easier. Most Linux installations will automatically start ssh-agent for you when you log in.

Adding or changing a passphrase

You can change the passphrase for an existing private key without regenerating the keypair. Just type the following command:

$ ssh-keygen -p
# Start the SSH key creation process
Enter file in which the key is (/Users/you/.ssh/id_rsa): [Hit enter]
Key has comment '/Users/you/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase): [Type new passphrase]
Enter same passphrase again: [One more time for luck]
Your identification has been saved with the new passphrase.

If your key already has a passphrase, you will be prompted to enter it before you can change to a new passphrase.