Creating SSH Keys on macOS Sierra

Post updated by Matt Makai on April 28, 2017. Originally posted on February 20, 2017.

Deploying Python applications typically requires SSH keys. An SSH key has both a public and a private key file. You can use the private key to authenticate when syncing remote Git repositories, connect to remote servers and automate your application's deployments via configuration management tools like Ansible. Let's learn how to generate SSH key pairs on macOS Sierra.

Generating New Keys

Bring up a new terminal window on macOS by going into Applications/Utilities and opening "Terminal".

New macOS terminal window.

The ssh-keygen command provides an interactive command line interface for generating both the public and private keys. Invoke ssh-keygen with the following -t and -b arguments to ensure we get a 4096 bit RSA key. Note that you must use a key with 2048 or more bits in macOS Sierra or the system will not allow you to connect to servers with it.

Optionally, you can also specify your email address with -C (otherwise one will be generated off your current macOS account):

ssh-keygen -t rsa -b 4096 -C [email protected]

The first prompt you will see asks where to save the key. However, there are actually two files that will be generated: the public key and the private key.

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/matt/.ssh/id_rsa):

This prompt refers to the private key and whatever you enter will also generate a second file for the public key that has the same name and .pub appended.

If you already have a key then specify a new filename. I use many SSH keys so I oftne name them "test-deploy", "prod-deploy", "ci-server" along with a unique project name. Naming is one of those hard computer science problems, so take some time to come up with a system that works for you!

Next you will see a prompt for an optional passphrase:

Enter passphrase (empty for no passphrase):

Whether or not you want a passphrase depends on how you will use the key. The system will ask you for the passphrase whenever you use the SSH key, although macOS can store the passphrase in your system Keychain after the first time you enter it. However, if you are automating deployments with a continuous integration server like Jenkins then you will not want a passphrase.

Note that it is impossible to recover a passphrase if it is lost. Keep that passphrase safe and secure because otherwise a completely new key would have to be generated.

Enter the passphrase (or just press enter to not have a passphrase) twice. You'll see some output like the following:

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/matt/.ssh/deploy_prod.
Your public key has been saved in /Users/matt/.ssh/deploy_prod.pub.
The key fingerprint is:
SHA256:UnRGH/nzYzxUFS9jjd0wOl1ScFGKgW3pU60sSxGnyHo [email protected]
The key's randomart image is:
+---[RSA 4096]----+
|        ..+o++**@|
|       . +.o*O.@=|
|        . oo*=B.*|
|       . .  =o=+ |
|      . S E. +oo |
|       . .  .  =.|
|              . o|
|                 |
|                 |
+----[SHA256]-----+

Your SSH key is ready to use!

What now?

Now that you have your public and private keys, I recommend building and deploying some Python web apps such as:

Additional ssh-keygen command resources:

Questions? Contact me via Twitter @fullstackpython or @mattmakai. I'm also on GitHub with the username mattmakai.

See something wrong in this post? Fork this page's source on GitHub and submit a pull request.


Matt Makai 2012-2022