SSH Keys Explained: Public vs Private
SSH keys come in a pair, and which one goes where trips everyone up. The rule is short: the public key is a padlock you hand out, the private key stays with you forever. Here's why that works.
Everyone tells you to "use SSH keys instead of passwords," then you generate a pair and freeze: which file goes on the server, and which one stays secret? Get it backwards and you either can't log in or you've leaked the keys to the kingdom. The rule is genuinely simple once you see what each half is for.
Why not just use a password
A password is a shared secret — you and the server both know it, and anything you both know can be guessed, phished, or leaked. Key-based auth replaces that with a pair of mathematically linked keys where the secret half never leaves your machine. Nothing worth stealing ever crosses the network.
The key pair
Generating a key makes two files that belong together:
ssh-keygen -t ed25519 -C "[email protected]"
# ~/.ssh/id_ed25519 ← PRIVATE key: stays on your machine, never shared
# ~/.ssh/id_ed25519.pub ← PUBLIC key: safe to hand out, goes on servers
- The public key is like a padlock. You can make copies and leave them anywhere.
- The private key is the only key that opens those padlocks. You keep it, always.
What happens when you connect
You put your public key on the server (in ~/.ssh/authorized_keys). When you connect, the server uses that public padlock to issue a challenge only your matching private key can answer. Your private key answers it without being sent — the server just verifies the answer could only come from the holder of the private key.
Public key = a padlock you hand out freely. Private key = the one key that opens it, which never leaves you. Share the padlock, guard the key.
Guard the private key
Because the private key is your identity, protect it: set a passphrase when prompted, keep its file permissions tight (chmod 600 ~/.ssh/id_ed25519), and never paste it into a chat, repo, or email. Leaking the public key is harmless; leaking the private key means anyone can be you.
The mental model to keep
You hand out padlocks (public keys) to every server you want to reach and keep the single key that opens them (your private key) locked on your own machine. The secret never travels, which is exactly why key auth is both easier and far safer than passwords.
Stop reading, start building
This pairs with a hands-on BytExplorer course — do it on your own machine and actually keep the skill.