SSH key authentication replaces passwords with a cryptographic key pair. It's both more secure (keys can't be brute-forced like passwords) and more convenient (no typing passwords). Here's the complete workflow.
How it works
You generate a key pair: a private key that stays on your computer and a public key you place on the server. When you connect, the server uses the public key to verify you hold the matching private key — without the secret ever crossing the network.
1. Generate a key pair
ssh-keygen -t ed25519 -C "you@example.com"
Ed25519 is a modern, secure, fast key type. Add a passphrase when prompted for extra protection.
2. Copy the public key to your server
ssh-copy-id deploy@your-server-ip
Or manually append the contents of ~/.ssh/id_ed25519.pub to ~/.ssh/authorized_keys on the server.
3. Test, then disable password login
Confirm you can log in with the key, then edit /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
sudo systemctl reload ssh
Managing keys
- Use a different key per device so you can revoke one without affecting the others.
- Protect private keys with a passphrase and an SSH agent.
- To revoke access, remove that public key from
authorized_keys.
With key-only login enabled, brute-force password attacks against your VPS simply stop working. It's one of the highest-value security steps you can take.