There will be no change to our public key file.
SSH Passphrase#
SSH passphrase management is simple. Because we use the same command for all the task below:
- To add a new passphrase
- To remove a passphrase (using ENTER)
- To change an existing passphrase
Replace
~/.ssh/id_ed25519with the path to your actual private key file, such as~/.ssh/id_rsa.
$ ssh-keygen -p -f ~/.ssh/id_ed25519
And follow the prompts:
- Enter old passphrase: If the key currently has no passphrase, just press
Enter. Or type the current one if any. - Enter new passphrase: Type the passphrase you want to add.
- Enter same passphrase again: Retype it to confirm.
A shortcut to state empty passphrase (without hitting the ENTER key twice):
$ ssh-keygen -f ~/.ssh/id_ed25519 -p -N ""
Where It Stores?#
By default, the passphrase for your private SSH key is not stored anywhere as a separate text file. Instead, it is used to encrypt the private key file itself.
The secret lives at 2 places:
Inside Private Key File: After a passphrase is set, there will be headers like
ENCRYPTEDorProc-Type: 4,ENCRYPTEDadded to private key file, which indicate the data inside is scrambled.In our brain: Ideally, the passphrase only exists in our memory (and sometimes computer RAM).
Helper Storage#
This is optional. We can have our computer to “remember” the passphrase so we don’t have to type it every time. It is being stored in on of these helper tools:
SSH Agent: This stores the decrypted version of the private key in computer RAM.
macOS Keychain: This is a feature selected “Remember password in my keychain”.
Linux Keyring: GNOME Keyring can store the passphrase to automatically unlock the private key.