SSH keys are your passport to a more secure and streamlined Git workflow, letting you push and pull without repeatedly typing your username and password.
Let’s see this in action. Imagine you’re on your local machine, ready to push a change to a repository hosted on GitHub. Instead of a password prompt, you’ll see something like this:
$ git push origin main
Enter passphrase for key '/home/user/.ssh/id_rsa':
If you’ve set things up correctly, after entering your passphrase (if you set one), the push will happen seamlessly. The same applies to GitLab.
The core problem SSH keys solve is authentication without exposing your password. When you connect to a Git remote (like GitHub or GitLab) using SSH, your local machine uses a private key to prove its identity to the remote server. The remote server, which has the corresponding public key, verifies this proof. This is a form of asymmetric cryptography.
Here’s how to set it up:
Generating Your SSH Key Pair
First, you need to generate a pair of keys: a private key (which you keep secret on your machine) and a public key (which you’ll give to GitHub and GitLab).
On your local machine, open your terminal and run:
ssh-keygen -t ed25519 -C "your_email@example.com"
-t ed25519: This specifies the algorithm to use. Ed25519 is a modern, secure, and fast choice. You could also usersawith a larger bit size likessh-keygen -t rsa -b 4096 -C "your_email@example.com".-C "your_email@example.com": This is a comment that helps you identify the key later, typically your email address.
The command will prompt you for a file to save the key. The default (~/.ssh/id_ed25519 or ~/.ssh/id_rsa) is usually fine. Press Enter to accept the default.
Next, it will ask for a passphrase. This adds an extra layer of security. If someone gains access to your private key file, they still need the passphrase to use it. It’s highly recommended to set a strong passphrase.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
After this, you’ll see output indicating the key has been generated:
Your identification has been saved in /home/user/.ssh/id_ed25519
Your public key has been saved in /home/user/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:.......................................... your_email@example.com
The key's randomart image is:
+--[ED25519 256]--+
| . |
| + . |
| . = . |
| . * * . |
| . * S + . |
| = B o . |
| = O o . |
| E * . |
| .o.. |
+------------------+
You now have two files in your ~/.ssh/ directory: id_ed25519 (your private key) and id_ed25519.pub (your public key). NEVER share your private key.
Adding Your Public Key to GitHub
-
Copy your public key: On Linux/macOS:
cat ~/.ssh/id_ed25519.pubCopy the entire output, which starts with
ssh-ed25519(orssh-rsa) and ends with your email.On Windows (using Git Bash):
cat ~/.ssh/id_ed25519.pubOr, you can use
clip < ~/.ssh/id_ed25519.pubto copy it directly to your clipboard. -
Add to GitHub:
- Go to GitHub.com and log in.
- Click your profile picture in the top-right corner, then click "Settings."
- In the left sidebar, click "SSH and GPG keys."
- Click "New SSH key" or "Add SSH key."
- Give it a descriptive "Title" (e.g., "My Work Laptop" or "Home Desktop").
- Paste your copied public key into the "Key" field.
- Click "Add SSH key."
Adding Your Public Key to GitLab
-
Copy your public key: Use the same
catcommand as for GitHub. -
Add to GitLab:
- Go to GitLab.com (or your self-hosted GitLab instance) and log in.
- Click your profile picture in the top-right corner, then click "Settings."
- In the left sidebar, click "SSH Keys."
- Paste your copied public key into the "Key" field.
- Give it a descriptive "Title" (e.g., "My Personal PC").
- You can optionally set an expiration date.
- Click "Add key."
Testing Your Connection
Now, you can test if your SSH connection is working correctly.
For GitHub:
ssh -T git@github.com
For GitLab:
ssh -T git@gitlab.com
You might see a message like this the first time you connect:
The authenticity of host 'github.com (IP ADDRESS)' can't be established.
ED25519 key fingerprint is SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Type yes and press Enter. This adds the server’s fingerprint to your ~/.ssh/known_hosts file.
If successful, you’ll see a message like:
For GitHub:
Hi YourUsername! You've successfully authenticated, but GitHub does not provide shell access.
For GitLab:
Welcome to GitLab, @YourUsername!
Configuring Git Remotes
If you have existing repositories cloned using HTTPS, you’ll need to switch them to SSH.
-
Check your current remote URL:
git remote -vThis will show something like:
origin https://github.com/yourusername/your-repo.git (fetch) origin https://github.com/yourusername/your-repo.git (push) -
Change the remote URL to SSH:
git remote set-url origin git@github.com:yourusername/your-repo.git(Replace
git@github.com:yourusername/your-repo.gitwith the appropriate SSH URL for your repository on GitHub or GitLab.)You can find the SSH URL on your repository’s page on GitHub or GitLab. It typically looks like
git@hostname:username/repository.git.
After this, git remote -v should show:
origin git@github.com:yourusername/your-repo.git (fetch)
origin git@github.com:yourusername/your-repo.git (push)
Now, when you git push, git pull, or git fetch, Git will use your SSH key for authentication. If you set a passphrase for your key, you’ll be prompted for it.
The SSH agent is a background program that holds your private keys in memory, so you don’t have to type your passphrase every time you use the key. To start it and add your key:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
You’ll be prompted for your passphrase once, and then the agent will handle authentication for the rest of your session.
The next hurdle is often managing multiple SSH keys for different services or accounts.