Generate an SSH Key on Windows 11

Learn how to generate an SSH key on Windows 11 using the built-in OpenSSH client. No third-party tools required.

10 min
WindowsSSHSecurity

Not using Windows 11?

In order to connect to your servers using an SSH key, you need to generate a key pair on your local machine first. In this guide we will see how to generate and secure your SSH key on windows logo Windows 11 using the built-in OpenSSH client.

Verify OpenSSH Is Installed

Windows 11 ships with an OpenSSH client pre-installed. To confirm, open Terminal (press Win + X and select Terminal) and run:

powershell logo 
ssh -V

You should see a version string like OpenSSH_for_Windows_9.x. If the command is not recognized, you can enable it via Settings → System → Optional Features → Add a feature → OpenSSH Client.

Generate an SSH Key Pair

In your Terminal window, run:

ed25519 key (default) 
ssh-keygen -t ed25519 -a 100
RSA key (legacy) 
ssh-keygen -t rsa -b 4096 -a 100

The -a 100 option increases the bcrypt KDF rounds, slowing down brute-force attempts if someone gets your encrypted private key. It does nothing if you do not use a passphrase.

You will be asked where to save the key file. Press Enter to use the default location.

Enter file in which to save the key (C:Usersyourname.sshid_ed25519):

You will be prompted to enter a passphrase. It is recommended to use a passphrase, but it is not mandatory. If you choose to use a passphrase, make sure it is a strong one.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Your key pair will be created and saved under C:\Users\yourname\.ssh\, the private key as id_ed25519 or id_rsa depending on the type of key you generated, and the public key as id_ed25519.pub or id_rsa.pub.

View your Public Key

ed25519 key 
Get-Content $env:USERPROFILE.sshid_ed25519.pub
RSA key 
Get-Content $env:USERPROFILE.sshid_rsa.pub

You can also copy it directly to your clipboard:

ed25519 key 
Get-Content $env:USERPROFILE.sshid_ed25519.pub | Set-Clipboard
RSA key 
Get-Content $env:USERPROFILE.sshid_rsa.pub | Set-Clipboard

Setting Correct Permissions

Windows uses ACLs instead of Unix-style chmod. The private key should only be readable by your user account. If you copied the key from somewhere, run the following in an elevated Terminal to lock down the permissions:

powershell logo 
$keyPath = "$env:USERPROFILE.sshid_ed25519"

# Remove inherited permissions
icacls $keyPath /inheritance:r

# Grant read access only to your user
icacls $keyPath /grant "${env:USERNAME}:(R)"

Add the Key to the SSH Agent

Windows includes an SSH agent service called ssh-agent. Start it and add your key so you don’t have to type your passphrase every time.

First, make sure the service is running (requires an elevated/admin Terminal):

powershell logo 
Get-Service ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent

Then add your private key:

ed25519 key 
ssh-add $env:USERPROFILE.sshid_ed25519
RSA key 
ssh-add $env:USERPROFILE.sshid_rsa