SSH key authentication replaces passwords with a cryptographic key pair. It's both more secure (keys can't be brute-forced like passwords) and more convenient (no typing passwords). Here's the complete workflow.

How it works

You generate a key pair: a private key that stays on your computer and a public key you place on the server. When you connect, the server uses the public key to verify you hold the matching private key — without the secret ever crossing the network.

1. Generate a key pair

ssh-keygen -t ed25519 -C "you@example.com"

Ed25519 is a modern, secure, fast key type. Add a passphrase when prompted for extra protection.

2. Copy the public key to your server

ssh-copy-id deploy@your-server-ip

Or manually append the contents of ~/.ssh/id_ed25519.pub to ~/.ssh/authorized_keys on the server.

3. Test, then disable password login

Confirm you can log in with the key, then edit /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes
sudo systemctl reload ssh

Managing keys

  • Use a different key per device so you can revoke one without affecting the others.
  • Protect private keys with a passphrase and an SSH agent.
  • To revoke access, remove that public key from authorized_keys.

With key-only login enabled, brute-force password attacks against your VPS simply stop working. It's one of the highest-value security steps you can take.