SSH keys are the standard way to authenticate securely with remote servers — no passwords transmitted over the network, no credentials stored in plain text. If you deploy code to servers (via SFTP, SCP, or Git over SSH), you need a key pair.
Think of it like a lock and key: the public key is the lock you install on any server you want to access, and the private key stays on your machine. When you connect, SSH uses a cryptographic handshake to prove you hold the matching private key — without ever sending it across the wire.
This guide covers the three main algorithms you should know about, plus how to customise key location and add passphrase protection. If you are deploying via SSH, SFTP, or Git with DeployHQ, you can upload any of these key types as a custom key pair.
Algorithm Comparison
Before generating a key, pick the right algorithm. Here is how they compare:
| Feature | Ed25519 | ECDSA | RSA |
|---|---|---|---|
| Key size | 256-bit (fixed) | 256 / 384 / 521-bit | 2048 / 3072 / 4096-bit |
| Security strength | ~128-bit equivalent | Varies by curve | 4096-bit ≈ 128-bit equivalent |
| Performance | Fastest signing & verification | Fast | Slower (especially at 4096-bit) |
| Key file size | ~420 bytes (public) | ~180–280 bytes | ~750 bytes (4096-bit public) |
| Compatibility | OpenSSH 6.5+, most modern servers | Widely supported | Universal — works everywhere |
| Recommendation | Default choice for new keys | Good alternative | Use when legacy systems require it |
Generating an Ed25519 Key (Recommended)
Ed25519 is the modern default. It produces small, fast keys with strong security and is resistant to several classes of implementation vulnerabilities that affect other algorithms. Use this unless your server or hosting provider explicitly requires RSA.
ssh-keygen -t ed25519 -C "your_email@example.com"
-t ed25519— selects the Ed25519 algorithm.-C "your_email@example.com"— adds a comment for identification (typically your email).
You will be prompted to choose a file location (press Enter for the default ~/.ssh/id_ed25519) and an optional passphrase.
Generating an ECDSA Key
ECDSA (Elliptic Curve Digital Signature Algorithm) is a solid alternative when you need elliptic-curve security but Ed25519 is not supported. The 521-bit curve provides roughly 256-bit equivalent security.
ssh-keygen -t ecdsa -b 521 -C "your_email@example.com"
-t ecdsa— selects the ECDSA algorithm.-b 521— sets the curve size to 521 bits (also supports 256 and 384).
Generating an RSA Key
RSA is the oldest and most universally compatible algorithm. If you need to connect to legacy servers, embedded devices, or strict enterprise environments, RSA 4096-bit is the safe choice.
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
-t rsa— selects the RSA algorithm.-b 4096— sets the key size to 4096 bits.
RSA with SHA-2 Signatures
Some servers (notably Ubuntu 22.04+ with strict SSH configurations) reject the older SHA-1 signature scheme. If you encounter authentication failures with a standard RSA key, generate one that uses SHA-2:
ssh-keygen -t rsa-sha2-512 -b 4096
This produces the same RSA key format but ensures SHA-2 is used during the handshake. If you are troubleshooting SSH connection issues with DeployHQ, the server troubleshooting guide covers common failure scenarios.
Saving a Key to a Custom Location
By default, ssh-keygen saves keys to ~/.ssh/. To save to a different path — useful when managing multiple key pairs for different services — use the -f flag:
ssh-keygen -t ed25519 -C "your_email@example.com" -f ~/.ssh/deployhq_key
-f ~/.ssh/deployhq_key— writes the private key todeployhq_keyand the public key todeployhq_key.pub.
This is helpful when you use separate keys for different environments (staging vs. production) or different services (GitHub, Bitbucket, DeployHQ).
Protecting a Key with a Passphrase
A passphrase encrypts your private key at rest. If someone gains access to your machine, they still cannot use the key without the passphrase.
The safest way to set a passphrase is interactively — simply run ssh-keygen without the -P flag and enter your passphrase when prompted:
ssh-keygen -t ed25519 -C "your_email@example.com"
Enter passphrase (empty for no passphrase): ••••••••••
Enter same passphrase again: ••••••••••
Security note: Avoid passing passphrases as command-line arguments (e.g.
ssh-keygen -P "my_passphrase"). Arguments are visible in your shell history, process listings (ps aux), and system audit logs. Always use the interactive prompt instead.
To avoid typing your passphrase on every connection, add the key to your SSH agent:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
If you are connecting from Windows, OpenSSH on Windows includes ssh-agent support out of the box.
Uploading Your Key to DeployHQ
Once you have generated your SSH key pair, upload the public key to DeployHQ:
- Log in to your DeployHQ account.
- Navigate to your project settings.
- Create a new server — you will see the option to upload a custom key pair.
- Open your public key file (e.g.
~/.ssh/id_ed25519.pub) and copy its contents. - Paste the public key into the provided field.
- Click Save.
DeployHQ supports Ed25519, ECDSA, and RSA key pairs. You can upload different keys for different servers within the same project.
Tips for SSH Key Management
- Choose Ed25519 by default — it is faster, more secure, and produces smaller keys than RSA or ECDSA.
- Use a passphrase on keys that access production servers. Combine with
ssh-agentso you only type it once per session. - Never share your private key. Only the
.pubfile should be copied to servers or services. - Rotate keys periodically. If a key may have been compromised, generate a new pair and remove the old public key from all servers.
- Use separate keys per service when possible — a dedicated key for DeployHQ, another for your Git host — so revoking one does not affect the others.
When choosing a file transfer protocol for your deployments, understanding the differences between FTP, FTPS, and SFTP will help you pick the right one. For comparing secure copy tools, see SFTP vs SCP vs rsync.
Start Deploying with SSH Keys
DeployHQ supports custom SSH key pairs for all deployment protocols — SSH, SFTP, and Git. Generate your key, upload it, and ship code to your servers in minutes.
Sign up for DeployHQ and start deploying today.
If you have questions or run into issues, reach out to us at support@deployhq.com or on Twitter at @deployhq.