How to Set Up SSH Key Authentication in Windows 11

Why Use SSH Key Authentication?

SSH keys are more secure than passwords. These keys use complex codes, making them incredibly difficult to crack. You won’t need to remember or type passwords every time you connect to a server. This saves time and keeps your accounts safer.

What You Need Before Starting

Windows 11 already has the tools you need for SSH key authentication built-in, so you don’t need to download anything extra to get started.

Built-in OpenSSH means you can get started right away without downloading software.

How to Create SSH Keys in 🪟 Windows 11

Creating SSH keys is the first step. You will make two keys: a public key and a private key. The public key goes on servers. The private key stays on your computer only.

Step 1Open Windows Terminal

Click the Windows Start button. Type “Windows Terminal” and open it.

You might be wondering why we’re using Windows Terminal. It’s a more secure and user-friendly option compared to the older Command Prompt.

Step 2Generate Your SSH Key Pair

To set up SSH key authentication in Windows 11, you’ll start by generating a new SSH key pair using a simple command in Windows Terminal.

ssh-keygen -t ed25519 -C "your-email@example.com"

This command generates a new SSH key using the Ed25519 algorithm. It’s currently the newest and most secure method available. GitHub and other services recommend it.

If your computer is older, you can use this command instead:

ssh-keygen -t rsa -b 4096 -C "your-email@example.com"

This creates a 4096-bit RSA key, which is also secure.

Step 3Choose Where to Save Your Key

The command will ask: “Enter a file in which to save the key”

Press Enter to accept the default location.

Your keys will be saved in a location like this: C:\Users\YourUsername\.ssh (just replace `YourUsername` with your actual Windows account name).

Step 4Add a Passphrase (Optional but Recommended)

Adding a passphrase when generating your SSH key pair in Windows 11 is optional but highly recommended for extra security.

You can type a strong password here or leave it blank and press Enter.

If you add a passphrase, it adds an extra layer of protection. If someone gets your private key file, they still can’t use it without the passphrase.

If you add a passphrase, you’ll type it each time you use the key.

Step 5Confirm Key Generation

After running the command, you’ll see a confirmation message in Windows Terminal indicating that your SSH key pair was successfully generated.

Your identification has been saved in /home/user/.ssh/id_ed25519.
Your public key has been saved in /home/user/.ssh/id_ed25519.pub.
The key fingerprint is: SHA256:xxxxxxxxxxxxxxxxxxxxx

This means your key pair is ready to use.

Understanding Your SSH Folder Structure

Your SSH keys and related files are stored in a special hidden folder named `.ssh` within your user profile on Windows 11.

Folder location: C:\Users\YourUsername\.ssh

Files inside:

• id_ed25519 – Your private key (keep this secret)
• id_ed25519.pub – Your public key (share this)
• authorized_keys – Keys allowed to log in (created later)
• config – Settings for SSH connections (optional)

The dot (.) in the folder name makes it hidden on Windows. This helps keep your keys out of sight.

File Permissions: Keep Your Keys Safe

Correct file permissions are crucial for SSH key authentication in Windows 11 to ensure your private key remains secure and inaccessible to others.

• Private key (id_ed25519) should be readable only by you (equivalent to 600)
• Public key (id_ed25519.pub) can be readable by anyone (equivalent to 644)
• The .ssh folder itself should be accessible only by you (equivalent to 700)

If permissions are wrong, SSH will refuse to use your key for security reasons.

Good news: on Windows, OpenSSH usually handles these permissions automatically, so you likely won’t need to adjust anything.

How to Generate Multiple SSH Keys for Different Services

This is a safer approach because each key can then be restricted to accessing only a specific service. You might need separate keys for GitHub, work servers, and personal servers.

Creating a Second SSH Key

You can easily create a second SSH key pair in Windows 11 for different purposes, like work or personal projects, by using a specific command.

ssh-keygen -t ed25519 -C "work-email@company.com" -f "C:\Users\YourUsername\.ssh\id_ed25519_work"

Replace:

• work-email@company.com with your work email
• YourUsername with your Windows account name
• id_ed25519_work with a name for this key

A new key pair is created with a different name. You can now have multiple keys for different purposes.

Telling SSH Which Key to Use

To manage multiple SSH keys in Windows 11, you can create a `config` file in your `.ssh` folder to tell SSH which key to use for specific hosts.

Host github.com
  HostName github.com
  User git
  IdentityFile C:\Users\YourUsername\.ssh\id_ed25519

Host work-server
  HostName work.example.com
  User workuser
  IdentityFile C:\Users\YourUsername\.ssh\id_ed25519_work

Replace the paths and hostnames with your actual information.

Save this file as `config` (without any file extension) in your `.ssh` folder.

This configuration helps SSH automatically select the correct key when you connect to a specific server.

Adding Your Key to the SSH Agent

The SSH Agent remembers your keys so you don’t type your passphrase repeatedly.

Step 1Start the SSH Agent

Open Windows Terminal as Administrator (right-click and select “Run as Administrator”).

⚠️ Note: This step requires administrator privileges. Type the following command and then press Enter:

Set-Service -Name ssh-agent -StartupType Automatic

Then press Enter.

Next, start the service:

Start-Service ssh-agent

The SSH Agent service starts and will remember your keys.

Step 2Add Your Key to the Agent

In the same Terminal window, run:

ssh-add C:\Users\YourUsername\.ssh\id_ed25519

Replace YourUsername with your actual Windows account name.

If you set a passphrase, type it when asked.

Your key is loaded into the agent. You won’t need to type your passphrase again for this session.

Copying Your Public Key to a Server

Your public key needs to be on the SSH server. This is what lets the server recognize you.

Method 1Using PowerShell (Easiest)

The easiest way to add your SSH public key to a remote server in Windows 11 is by using a simple PowerShell command.

type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh user@192.168.1.100 "cat >> ~/.ssh/authorized_keys"

Replace:

• user with your username on the remote server
• 192.168.1.100 with the server’s IP address

Type your password when prompted.

Your public key is then copied to the server and appended to the `authorized_keys` file. The server will now accept your key.

Method 2Manual Copy (If Method 1 Doesn’t Work)

If the automated method doesn’t work, you can manually copy your SSH public key from Windows 11 to the server’s `authorized_keys` file.

type $env:USERPROFILE\.ssh\id_ed25519.pub

Copy the entire output (it looks like a long jumbled line).

Then, log into your server with SSH and password:

ssh user@192.168.1.100

On the server, create the SSH folder if it doesn’t exist:

mkdir -p ~/.ssh

Create the authorized_keys file and paste your public key:

echo "YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys

Replace YOUR_PUBLIC_KEY_HERE with what you copied earlier.

Set correct permissions:

chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

These commands make sure only you can read your authorized_keys file.

Understanding the authorized_keys File

The `authorized_keys` file on your server is where you list the public SSH keys that are allowed to log in, acting as a security list.

Location on server: ~/.ssh/authorized_keys (usually in your home folder)

File format: Each public key takes up one line and starts with “ssh-ed25519” or “ssh-rsa”

Only keys listed in authorized_keys can log in. This is your server’s security control.

How to Disable Password Authentication

Once your keys are working, you can turn off password logins for extra security.

⚠️ Warning: Do this only after testing that your SSH key works. Otherwise, you’ll lock yourself out.

Step 1Log Into Your Server

Connect with SSH:

ssh user@192.168.1.100

If your key is working, you should log in without entering a password.

Step 2Edit the SSH Configuration File

On the server, open the SSH config file with a text editor:

sudo nano /etc/ssh/sshd_config

⚠️ Requires Admin Privileges on the Remote Server

Type your password if prompted.

Step 3Find and Change These Lines

Look for these lines in the file (they might have a # at the start):

PasswordAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no

Change them to:

PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no

This turns off password login but keeps SSH key login enabled.

Step 4Save and Restart SSH

Press Ctrl+X, then Y, then Enter to save in Nano.

🔄 Restart the SSH service:

sudo systemctl restart ssh

⚠️ Requires Admin Privileges on the Remote Server

SSH will now only accept key-based login, not passwords.

Creating an SSH Config File on 🪟 Windows 11

A config file makes connecting to servers easier by saving settings.

Create Your Config File

Creating a `config` file in your `.ssh` folder on Windows 11 allows you to set up custom shortcuts and specify which SSH keys to use for different servers.

Host myserver
  HostName 192.168.1.100
  User myusername
  IdentityFile C:\Users\YourUsername\.ssh\id_ed25519
  Port 22

Host github
  HostName github.com
  User git
  IdentityFile C:\Users\YourUsername\.ssh\id_ed25519

Replace:

• myserver with a nickname for this server
• 192.168.1.100 with the server IP
• myusername with your username
• YourUsername with your Windows account

Save this file as `config` (no .txt) in C:\Users\YourUsername\.ssh

Using Your Config File

Now you can connect by just typing:

ssh myserver

Instead of the long command with IP address and username.

Config files save time and reduce mistakes.

Troubleshooting SSH Key Authentication Problems

Problem: “Permission Denied (publickey)”

If you encounter a ‘Permission Denied (publickey)’ error when trying to connect via SSH in Windows 11, it usually means the server can’t find or verify your key.

How to fix it:

1. Check that your public key is in the server’s ~/.ssh/authorized_keys file
2. Make sure file permissions are correct: chmod 600 ~/.ssh/authorized_keys
3. Verify you’re using the right key: ssh -i C:\Users\YourUsername\.ssh\id_ed25519 user@192.168.1.100

Problem: “No Such File or Directory: .ssh”

What it means: The .ssh folder doesn’t exist yet.

How to fix it:

On Windows, run:

mkdir $env:USERPROFILE\.ssh

On the remote server, run:

mkdir -p ~/.ssh

Problem: “Too Many Authentication Failures”

What it means: You tried too many wrong keys or passwords.

How to fix it:

1. Wait a few minutes before trying again
2. Specify which key to use: ssh -i C:\Users\YourUsername\.ssh\id_ed25519 user@192.168.1.100
3. Check your SSH config file for errors