Skip to main content
IMHCloud Logo
Back to glossary

SSH Key Pairs

An SSH key pair is a set of two cryptographic files (a public key and a private key) used to authenticate your identity when connecting to remote servers without typing a password.

Security

What is an SSH Key Pair in cloud hosting?

An SSH key pair is a set of two cryptographic files that work together to verify your identity when connecting to a remote server. The pair consists of a public key, which you place on servers you want to access, and a private key, which stays on your local machine and must never be shared.

When you connect to a server using SSH (Secure Shell), the server checks whether your private key matches the public key stored on that server. If the keys match, the server grants access without requiring a password. This method is both more secure and more convenient than password authentication because the private key is extremely difficult to guess or brute force.

Why SSH Key Pairs Exist

SSH key pairs solve two problems: weak passwords and inconvenient authentication.

Passwords can be guessed, leaked, or stolen through phishing. Even strong passwords are vulnerable to brute force attacks if a server allows unlimited login attempts. SSH keys use cryptographic algorithms that make guessing the correct key computationally infeasible. A typical SSH key has 2048 to 4096 bits of entropy, far exceeding what any password could provide.

Passwords are also inconvenient for automation. If you run scripts that connect to servers, you would need to store passwords in plain text or type them manually. SSH keys allow passwordless authentication, enabling automated deployments, backups, and monitoring without human intervention.

What Do SSH Key Pairs Actually Do?

  • Proves your identity to a server without transmitting a secret over the network
  • Encrypts the authentication handshake so attackers cannot intercept credentials
  • Eliminates password entry for interactive and automated connections
  • Allows selective access by adding your public key only to servers you should access
  • Supports key rotation by generating new pairs and replacing old public keys on servers
  • Enables passphrase protection so even a stolen private key file remains useless without the passphrase

When would I use an SSH key pair?

You would use an SSH key pair when connecting to Linux instances in your cloud environment. Most cloud providers require or strongly recommend key-based authentication when you provision a new instance.

Common scenarios include:

  • Logging into a cloud instance from your terminal to run commands or troubleshoot
  • Running deployment scripts that copy files or restart services on remote servers
  • Configuring CI/CD pipelines that need to connect to staging or production servers
  • Accessing jump hosts (bastion servers) that act as gateways to private instances
  • Managing multiple servers where typing passwords repeatedly would be impractical

When would I not use an SSH key pair?

You might not use SSH key pairs in situations where password authentication is explicitly required by policy, such as certain compliance environments that mandate multi-factor authentication through a separate system.

SSH keys are also unnecessary when:

  • You access servers only through a web-based console provided by your cloud platform
  • You use a different authentication mechanism such as certificates managed by a corporate identity system
  • The server does not run an SSH daemon (for example, Windows servers using RDP by default)

Be cautious about storing private keys on shared computers. If multiple people have access to a machine where your private key resides, they could potentially use it to access servers. In shared environments, consider hardware security keys or short-lived certificates instead.

Real-world example

Company A runs a web application on three Linux instances inside their Virtual Private Cloud. Each developer on the team generates their own SSH key pair on their laptop. The operations team collects the public keys and adds them to the authorized_keys file on each instance.

When developer Sarah needs to deploy a code update, she runs ssh deploy@web-server-1 from her terminal. The server checks her public key against its authorized list, confirms the match with her private key, and grants access. Sarah never types a password, and the authentication happens in under a second.

When a developer leaves the company, the operations team removes their public key from all servers. The former employee's private key becomes useless because no server will accept it.

Frequently Asked Questions

Do I need a separate SSH key pair for each server? No. You can use the same public key on multiple servers. The key pair identifies you, not the server. However, some organizations create separate key pairs for different environments (such as production versus development) to limit exposure if one key is compromised.

What happens if I lose my private key? You will lose access to any server that only has the corresponding public key. You must generate a new key pair and add the new public key to each server through another access method, such as a cloud console or asking an administrator.

Can someone access my servers if they steal my public key? No. The public key is designed to be shared and cannot authenticate on its own. Only the private key can complete the authentication process. However, if someone steals your private key (and it has no passphrase), they can access your servers.

Should I add a passphrase to my private key? Yes, especially if your laptop could be lost or stolen. A passphrase encrypts the private key file, so an attacker would need both the file and the passphrase. Use an SSH agent to avoid typing the passphrase repeatedly during a session.

How do I create an SSH key pair? Run ssh-keygen -t ed25519 on Linux or macOS (or use PuTTYgen on Windows). The command creates two files: a private key (such as id_ed25519) and a public key (such as id_ed25519.pub). Copy the public key contents to the server's ~/.ssh/authorized_keys file.

Summary

  • An SSH key pair consists of a public key (shared with servers) and a private key (kept secret on your machine)
  • Key pairs authenticate your identity without passwords, making connections more secure and convenient
  • You place your public key on servers you need to access; your private key proves you own that public key
  • SSH keys enable automated scripts and deployments without storing passwords
  • Protect your private key with a passphrase and never share it with anyone

Related terms

  • SSH (Secure Shell) is a network protocol that establishes encrypted connections between computers, such as connecting from your laptop to a cloud instance over the internet.
  • Public key is the portion of the key pair you share with servers, such as adding it to the ~/.ssh/authorized_keys file on a Linux instance.
  • Private key is the portion of the key pair you keep secret on your local machine, such as the id_rsa or id_ed25519 file in your ~/.ssh/ directory.
  • Instance is a virtual machine running in the cloud, such as a Linux server you provision in a Virtual Private Cloud.
  • Passphrase is an optional password that encrypts your private key file, such as a phrase you type when loading the key into an SSH agent.