OpenSSH Change a Passphrase With ssh-keygen command nixCraft Updated Tutorials/Posts

How do I change OpenSSH passphrase for one of my private keys under Linux, OpenBSD, FreeBSD, Apple macOS/OS X or Unix-like operating systems?

You need to use the ssh-keygen command to generates, change manages and converts authentication keys for ssh. You should the see following files at $HOME/.ssh or ~/.ssh director. That is /home/$USER/.ssh/. Let us see how to change a ssh passphrase with ssh-keygen command command on Linux or Unix-like systems.

Tutorial details
Difficulty level Easy
Root privileges No
Requirements ssh on Linux/macOS/Unix
How do I change my private key passphraseHow do I change my private key passphrase

Listing ssh keys to change the passphrase for an SSH key

Typically private key names start with id_rsa or id_ed25519 or id_dsa, and they are protected with a passphrase. However, users can name their keys anything. In the above example, for my intel NUC, I named RSA keys as follows:

  • intel_nuc_debian – Private RSA key
  • – Public RSA key

How to change a ssh passphrase

The procedure is as follows for OpenSSH to change a passphrase:

  1. Open the terminal application
  2. To change the passphrase for default SSH private key:
    ssh-keygen -p
  3. You can specify the filename of the key file:
    ssh-keygen -p -f ~/.ssh/intel_nuc_debian

Let us see all examples in details.

Please note that you must know the old passphrase to set up a new one. Currently, there is no way to reset forgotten ssh passphrases. Therefore, this page is about changing the existing passphrase and not about recovering OpenSSH passphrase-protected private keys.

OpenSSH Change a Passphrase ssh-keygen command

The -p option requests changing the passphrase of a private key file instead of creating a new private key. The program will prompt for the file containing the private key, for the old passphrase, and twice for the new passphrase. Use -f {filename} option to specifies the filename of the key file. For example, change directory to $HOME/.ssh. Open the Terminal app and then type the cd command:
$ cd ~/.ssh/
To change DSA passphrase, enter:
$ ssh-keygen -f id_dsa -p
For ed25519 key:
$ ssh-keygen -f id_ed25519 -p
Let us change RSA passphrase, enter:
$ ssh-keygen -f id_rsa -p

Animated gif 01: Changing your openssh passphrase

Animated gif 01: Changing your openssh passphrase

Removing a Passphrase with ssh-keygen

The syntax is same but to remove the existing passphrase, hit Enter key twice at the steps to enter the new one and then confirm it:
ssh-keygen -f ~/.ssh/id_rsa -p
ssh-keygen -f ~/.ssh/aws_cloud_automation -p

OpenSSH Change a Passphrase With ssh-keygen commandOpenSSH Change a Passphrase With ssh-keygen command

Removing the existing ssh key passphrase by simply hitting Enter key twice instead of setting up a new one

However, you can state empty passphrase by abusing the -N option as follows to save hitting the Enter key twice:
ssh-keygen -p -N ""
ssh-keygen -f ~/.ssh/aws_cloud_automation -p -N ""

Summing up

You learned about changing or removing ssh passphrases for private keys using the ssh-keygen command. OpenSSH command comes with many options, and you can read them online in the documentation section or type the following man command:
man ssh-keygen


Posted by Contributor