Where Are SSH Keys Stored in Linux — And How to Manage Them Securely
SSH (Secure Shell) is one of the most critical tools in the Linux ecosystem. System administrators, developers, and DevOps engineers rely on it daily for remote server access, secure file transfers, deployment automation, and infrastructure management. While most users interact with SSH through a simple terminal command, the real security backbone lies in SSH key pairs — cryptographic credentials that enable passwordless authentication, automated workflows, and hardened access control.
Whether you're managing a single VPS Hosting instance or orchestrating access across dozens of Dedicated Servers, understanding exactly where SSH keys are stored — and how to manage them properly — is not optional. It's a foundational security requirement.
This guide covers everything: default key storage locations, system-wide host keys, custom configurations, permission requirements, and best practices for secure key management.
What Are SSH Keys and Why Do They Matter?
SSH keys use asymmetric cryptography to authenticate users and servers. Each key pair consists of:
- Private key — kept secret on the client machine, never shared
- Public key — placed on the remote server to verify identity
When you connect to a server, SSH uses a cryptographic handshake to verify that you hold the private key corresponding to the public key on the server — without ever transmitting the private key itself. This is fundamentally more secure than password-based authentication.
Default SSH Key Storage Location (User Keys)
For any standard Linux user, SSH keys are stored in a hidden directory within the home folder:
~/.ssh/This expands to the full path:
/home/username/.ssh/For the root user specifically:
/root/.ssh/Common Files Inside ~/.ssh/
| File | Purpose |
|---|---|
id_rsa | Default RSA private key |
id_rsa.pub | Matching RSA public key |
id_ecdsa | ECDSA private key |
id_ed25519 | Ed25519 private key (recommended) |
id_*.pub | Public key counterpart for any private key |
authorized_keys | List of public keys permitted to log in to this account |
known_hosts | Fingerprints of previously connected servers |
config | User-specific SSH client configuration |
When you run ssh-keygen, keys are written to this directory by default unless you explicitly specify a different path during key generation.
System-Wide SSH Key Locations (Host Keys)
Beyond user keys, the SSH daemon (sshd) — the server-side component — maintains its own set of host keys. These are stored system-wide at:
/etc/ssh/Host Key Files in /etc/ssh/
| File | Purpose |
|---|---|
ssh_host_rsa_key | RSA host private key |
ssh_host_rsa_key.pub | RSA host public key |
ssh_host_ecdsa_key | ECDSA host private key |
ssh_host_ecdsa_key.pub | ECDSA host public key |
ssh_host_ed25519_key | Ed25519 host private key |
ssh_host_ed25519_key.pub | Ed25519 host public key |
These host keys serve a different purpose than user keys. When a client connects to a server for the first time, the server presents its host public key. The client stores this fingerprint in ~/.ssh/known_hosts. On subsequent connections, SSH verifies the fingerprint matches — protecting against man-in-the-middle attacks.
> Important: Host keys are generated automatically during SSH server installation. You should never need to manually create them, but you should know where they live for auditing and backup purposes.
Custom SSH Key Locations
You are not restricted to the default ~/.ssh/ directory. SSH keys can be generated and stored anywhere on the filesystem. To use a key stored in a non-default location, specify it explicitly:
ssh -i /path/to/custom_key user@hostUsing ~/.ssh/config for Multiple Keys
Managing multiple servers, projects, or user accounts becomes much cleaner with a properly configured ~/.ssh/config file. This allows you to define per-host settings including which key to use:
Host production-server
HostName 203.0.113.10
User deploy
IdentityFile ~/.ssh/production_ed25519
Host staging-server
HostName 203.0.113.20
User deploy
IdentityFile ~/.ssh/staging_ed25519
Host github.com
User git
IdentityFile ~/.ssh/github_keyWith this configuration, running ssh production-server automatically uses the correct key without any additional flags.
How SSH Keys Are Used: Client vs. Server
Outbound Connections (Client Side)
When you initiate an SSH connection, the SSH client searches for private keys in ~/.ssh/ by default. These keys are used to authenticate you to the remote server.
Tools that use SSH client keys include:
ssh— direct remote shell accessscp— secure file copyrsync— file synchronization over SSHgit— when using SSH-based remote repositories
Inbound Connections (Server Side)
On the server, SSH checks a specific file to determine which users are authorized to connect:
~/.ssh/authorized_keysThis file contains one public key per line. Each entry grants the holder of the corresponding private key permission to log in as that user.
Practical example: If user alice wants to SSH into a server as user webadmin, Alice's public key must be present in /home/webadmin/.ssh/authorized_keys — not in Alice's own home directory on that server.
File Permissions — Critical for SSH Security
This is where many administrators make costly mistakes. SSH is deliberately strict about file permissions. If permissions are too open, SSH will silently refuse to use your keys or reject login attempts entirely.
Required Permission Settings
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub
chmod 600 ~/.ssh/configPermission Reference Table
| Path | Required Permission | Octal |
|---|---|---|
~/.ssh/ | Owner read/write/execute only | 700 |
~/.ssh/authorized_keys | Owner read/write only | 600 |
~/.ssh/id_rsa (private key) | Owner read/write only | 600 |
~/.ssh/id_rsa.pub (public key) | Owner read, others read | 644 |
~/.ssh/config | Owner read/write only | 600 |
To fix permissions in one command:
chmod 700 ~/.ssh && chmod 600 ~/.ssh/* && chmod 644 ~/.ssh/*.pubGenerating SSH Keys Securely
Always prefer Ed25519 over RSA for new keys. Ed25519 offers stronger security with shorter key sizes and faster performance.
ssh-keygen -t ed25519 -C "your_email@example.com"For legacy systems that require RSA, use at least 4096 bits:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"Always set a passphrase when prompted. A passphrase encrypts the private key on disk, so even if an attacker gains access to your filesystem, they cannot use the key without the passphrase.
Managing Keys with ssh-agent
Entering your passphrase every time you use an SSH key becomes impractical. ssh-agent solves this by caching decrypted keys in memory for the duration of your session.
Starting ssh-agent and Adding a Key
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519You'll be prompted for the passphrase once. After that, SSH operations use the cached key automatically.
Useful ssh-agent Commands
# List currently loaded keys
ssh-add -l
# Remove a specific key from the agent
ssh-add -d ~/.ssh/mykey
# Remove all keys from the agent
ssh-add -DCopying Public Keys to Remote Servers
The easiest way to install your public key on a remote server is with ssh-copy-id:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote-hostThis appends your public key to ~/.ssh/authorized_keys on the remote server and sets correct permissions automatically.
If ssh-copy-id is unavailable, do it manually:
cat ~/.ssh/id_ed25519.pub | ssh user@remote-host "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"Auditing and Debugging SSH Key Issues
Verbose Connection Logging
When SSH authentication fails, verbose mode reveals exactly what's happening:
ssh -v user@hostFor even more detail:
ssh -vvv user@hostThis output shows which identity files were attempted, whether the agent was consulted, and where authentication failed.
Check the Server-Side SSH Log
On the remote server, SSH authentication events are logged to:
# Debian/Ubuntu
tail -f /var/log/auth.log
# CentOS/RHEL/Fedora
tail -f /var/log/secure
# Systems using journald
journalctl -u sshd -fVerify Your authorized_keys File
# Check the file exists and has correct permissions
ls -la ~/.ssh/authorized_keys
# View its contents
cat ~/.ssh/authorized_keys
# Count how many keys are authorized
grep -c "ssh-" ~/.ssh/authorized_keysSSH Key Security Best Practices
Proper key management goes beyond knowing where files are stored. Follow these practices on every system you manage:
1. Use One Key Per Purpose
Never reuse the same SSH key across different environments, clients, or projects. Use separate keys for personal access, deployment automation, and team shared access.
2. Rotate Keys Regularly
Treat SSH keys like passwords — rotate them periodically, especially after team member departures or suspected compromises.
3. Audit authorized_keys Files
Regularly review which public keys are authorized on each server. Remove any keys that belong to former employees, deprecated automation, or unrecognized sources:
# Find all authorized_keys files on a system
find / -name "authorized_keys" 2>/dev/null4. Disable Password Authentication
Once SSH keys are configured, disable password-based SSH login entirely in /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-passwordRestart sshd after changes:
systemctl restart sshd5. Restrict Root Key Usage
Avoid using root SSH keys across multiple environments. Use sudo-enabled user accounts with individual keys instead.
6. Use Certificate-Based Authentication for Scale
For large infrastructures, consider SSH certificates (via an SSH Certificate Authority) instead of managing individual authorized_keys entries. This dramatically simplifies access management across many servers.
SSH Keys in Cloud and Hosting Environments
When deploying servers in cloud or managed hosting environments, SSH key management becomes even more critical. Most platforms — including VPS Hosting providers — allow you to inject a public key at provisioning time, giving you immediate secure access without ever setting a password.
For teams managing multiple environments, consider pairing your SSH key strategy with a structured VPS Control Panels setup, which can simplify user management and access control across your infrastructure.
If you're running web applications or services that require secure communication beyond SSH, pairing your server setup with properly configured SSL Certificates ensures end-to-end encryption for all traffic — not just administrative access.
For teams that rely on Email Hosting alongside their server infrastructure, SSH key management extends to securing the systems that handle your mail — another reason why consistent key hygiene across all servers matters.
Quick Reference: SSH Key File Locations
| Location | Type | Purpose |
|---|---|---|
~/.ssh/id_ed25519 | User private key | Client authentication |
~/.ssh/id_ed25519.pub | User public key | Distributed to servers |
~/.ssh/authorized_keys | Authorized public keys | Controls who can log in |
~/.ssh/known_hosts | Server fingerprints | Prevents MITM attacks |
~/.ssh/config | Client configuration | Per-host settings |
/etc/ssh/ssh_host_* | Host keys | Server identity |
/etc/ssh/sshd_config | Daemon configuration | SSH server settings |
Conclusion
Understanding where SSH keys are stored in Linux — and managing them with discipline — is one of the most important skills for anyone working with servers, whether you're a solo developer or part of a large operations team.
To summarize the key takeaways:
- User keys live in
~/.ssh/and are used for client-side authentication - Host keys live in
/etc/ssh/and identify the server to connecting clients authorized_keyscontrols inbound access — audit it regularly- File permissions are non-negotiable — incorrect permissions silently break SSH
- Ed25519 is the preferred key type for new key generation
- Always use passphrases and
ssh-agentfor day-to-day key management - Rotate and audit keys as part of your regular security hygiene
On production systems — whether you're running Dedicated Servers or shared infrastructure — mismanaging SSH keys is one of the most common vectors for unauthorized access. The investment of time in getting this right pays dividends in security, reliability, and peace of mind.
Treat your SSH keys with the same care you'd give to any critical credential. Because that's exactly what they are.
on All Hosting Services