Save 15% on All Hosting Services

Test your skills and get Discount on any hosting plan

Use code: Skills Get Started
FAQ’s Sections
Administration DNS Linux

Where Are SSH Keys Stored in Linux — And How to Manage Them Securely

SSH (Secure Shell) is one of the most critical tools in the Linux ecosystem. System administrators, developers, and DevOps engineers rely on it daily for remote server access, secure file transfers, deployment automation, and infrastructure management. While most users interact with SSH through a simple terminal command, the real security backbone lies in SSH key pairs — cryptographic credentials that enable passwordless authentication, automated workflows, and hardened access control.

Whether you're managing a single VPS Hosting instance or orchestrating access across dozens of Dedicated Servers, understanding exactly where SSH keys are stored — and how to manage them properly — is not optional. It's a foundational security requirement.

This guide covers everything: default key storage locations, system-wide host keys, custom configurations, permission requirements, and best practices for secure key management.

What Are SSH Keys and Why Do They Matter?

SSH keys use asymmetric cryptography to authenticate users and servers. Each key pair consists of:

  • Private key — kept secret on the client machine, never shared
  • Public key — placed on the remote server to verify identity

When you connect to a server, SSH uses a cryptographic handshake to verify that you hold the private key corresponding to the public key on the server — without ever transmitting the private key itself. This is fundamentally more secure than password-based authentication.

Default SSH Key Storage Location (User Keys)

For any standard Linux user, SSH keys are stored in a hidden directory within the home folder:

~/.ssh/

This expands to the full path:

/home/username/.ssh/

For the root user specifically:

/root/.ssh/

Common Files Inside ~/.ssh/

FilePurpose
id_rsaDefault RSA private key
id_rsa.pubMatching RSA public key
id_ecdsaECDSA private key
id_ed25519Ed25519 private key (recommended)
id_*.pubPublic key counterpart for any private key
authorized_keysList of public keys permitted to log in to this account
known_hostsFingerprints of previously connected servers
configUser-specific SSH client configuration

When you run ssh-keygen, keys are written to this directory by default unless you explicitly specify a different path during key generation.

System-Wide SSH Key Locations (Host Keys)

Beyond user keys, the SSH daemon (sshd) — the server-side component — maintains its own set of host keys. These are stored system-wide at:

/etc/ssh/

Host Key Files in /etc/ssh/

FilePurpose
ssh_host_rsa_keyRSA host private key
ssh_host_rsa_key.pubRSA host public key
ssh_host_ecdsa_keyECDSA host private key
ssh_host_ecdsa_key.pubECDSA host public key
ssh_host_ed25519_keyEd25519 host private key
ssh_host_ed25519_key.pubEd25519 host public key

These host keys serve a different purpose than user keys. When a client connects to a server for the first time, the server presents its host public key. The client stores this fingerprint in ~/.ssh/known_hosts. On subsequent connections, SSH verifies the fingerprint matches — protecting against man-in-the-middle attacks.

> Important: Host keys are generated automatically during SSH server installation. You should never need to manually create them, but you should know where they live for auditing and backup purposes.

Custom SSH Key Locations

You are not restricted to the default ~/.ssh/ directory. SSH keys can be generated and stored anywhere on the filesystem. To use a key stored in a non-default location, specify it explicitly:

ssh -i /path/to/custom_key user@host

Using ~/.ssh/config for Multiple Keys

Managing multiple servers, projects, or user accounts becomes much cleaner with a properly configured ~/.ssh/config file. This allows you to define per-host settings including which key to use:

Host production-server
    HostName 203.0.113.10
    User deploy
    IdentityFile ~/.ssh/production_ed25519

Host staging-server
    HostName 203.0.113.20
    User deploy
    IdentityFile ~/.ssh/staging_ed25519

Host github.com
    User git
    IdentityFile ~/.ssh/github_key

With this configuration, running ssh production-server automatically uses the correct key without any additional flags.

How SSH Keys Are Used: Client vs. Server

Outbound Connections (Client Side)

When you initiate an SSH connection, the SSH client searches for private keys in ~/.ssh/ by default. These keys are used to authenticate you to the remote server.

Tools that use SSH client keys include:

  • ssh — direct remote shell access
  • scp — secure file copy
  • rsync — file synchronization over SSH
  • git — when using SSH-based remote repositories

Inbound Connections (Server Side)

On the server, SSH checks a specific file to determine which users are authorized to connect:

~/.ssh/authorized_keys

This file contains one public key per line. Each entry grants the holder of the corresponding private key permission to log in as that user.

Practical example: If user alice wants to SSH into a server as user webadmin, Alice's public key must be present in /home/webadmin/.ssh/authorized_keys — not in Alice's own home directory on that server.

File Permissions — Critical for SSH Security

This is where many administrators make costly mistakes. SSH is deliberately strict about file permissions. If permissions are too open, SSH will silently refuse to use your keys or reject login attempts entirely.

Required Permission Settings

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub
chmod 600 ~/.ssh/config

Permission Reference Table

PathRequired PermissionOctal
~/.ssh/Owner read/write/execute only700
~/.ssh/authorized_keysOwner read/write only600
~/.ssh/id_rsa (private key)Owner read/write only600
~/.ssh/id_rsa.pub (public key)Owner read, others read644
~/.ssh/configOwner read/write only600

To fix permissions in one command:

chmod 700 ~/.ssh && chmod 600 ~/.ssh/* && chmod 644 ~/.ssh/*.pub

Generating SSH Keys Securely

Always prefer Ed25519 over RSA for new keys. Ed25519 offers stronger security with shorter key sizes and faster performance.

ssh-keygen -t ed25519 -C "your_email@example.com"

For legacy systems that require RSA, use at least 4096 bits:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Always set a passphrase when prompted. A passphrase encrypts the private key on disk, so even if an attacker gains access to your filesystem, they cannot use the key without the passphrase.

Managing Keys with ssh-agent

Entering your passphrase every time you use an SSH key becomes impractical. ssh-agent solves this by caching decrypted keys in memory for the duration of your session.

Starting ssh-agent and Adding a Key

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

You'll be prompted for the passphrase once. After that, SSH operations use the cached key automatically.

Useful ssh-agent Commands

# List currently loaded keys
ssh-add -l

# Remove a specific key from the agent
ssh-add -d ~/.ssh/mykey

# Remove all keys from the agent
ssh-add -D

Copying Public Keys to Remote Servers

The easiest way to install your public key on a remote server is with ssh-copy-id:

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote-host

This appends your public key to ~/.ssh/authorized_keys on the remote server and sets correct permissions automatically.

If ssh-copy-id is unavailable, do it manually:

cat ~/.ssh/id_ed25519.pub | ssh user@remote-host "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Auditing and Debugging SSH Key Issues

Verbose Connection Logging

When SSH authentication fails, verbose mode reveals exactly what's happening:

ssh -v user@host

For even more detail:

ssh -vvv user@host

This output shows which identity files were attempted, whether the agent was consulted, and where authentication failed.

Check the Server-Side SSH Log

On the remote server, SSH authentication events are logged to:

# Debian/Ubuntu
tail -f /var/log/auth.log

# CentOS/RHEL/Fedora
tail -f /var/log/secure

# Systems using journald
journalctl -u sshd -f

Verify Your authorized_keys File

# Check the file exists and has correct permissions
ls -la ~/.ssh/authorized_keys

# View its contents
cat ~/.ssh/authorized_keys

# Count how many keys are authorized
grep -c "ssh-" ~/.ssh/authorized_keys

SSH Key Security Best Practices

Proper key management goes beyond knowing where files are stored. Follow these practices on every system you manage:

1. Use One Key Per Purpose

Never reuse the same SSH key across different environments, clients, or projects. Use separate keys for personal access, deployment automation, and team shared access.

2. Rotate Keys Regularly

Treat SSH keys like passwords — rotate them periodically, especially after team member departures or suspected compromises.

3. Audit authorized_keys Files

Regularly review which public keys are authorized on each server. Remove any keys that belong to former employees, deprecated automation, or unrecognized sources:

# Find all authorized_keys files on a system
find / -name "authorized_keys" 2>/dev/null

4. Disable Password Authentication

Once SSH keys are configured, disable password-based SSH login entirely in /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password

Restart sshd after changes:

systemctl restart sshd

5. Restrict Root Key Usage

Avoid using root SSH keys across multiple environments. Use sudo-enabled user accounts with individual keys instead.

6. Use Certificate-Based Authentication for Scale

For large infrastructures, consider SSH certificates (via an SSH Certificate Authority) instead of managing individual authorized_keys entries. This dramatically simplifies access management across many servers.

SSH Keys in Cloud and Hosting Environments

When deploying servers in cloud or managed hosting environments, SSH key management becomes even more critical. Most platforms — including VPS Hosting providers — allow you to inject a public key at provisioning time, giving you immediate secure access without ever setting a password.

For teams managing multiple environments, consider pairing your SSH key strategy with a structured VPS Control Panels setup, which can simplify user management and access control across your infrastructure.

If you're running web applications or services that require secure communication beyond SSH, pairing your server setup with properly configured SSL Certificates ensures end-to-end encryption for all traffic — not just administrative access.

For teams that rely on Email Hosting alongside their server infrastructure, SSH key management extends to securing the systems that handle your mail — another reason why consistent key hygiene across all servers matters.

Quick Reference: SSH Key File Locations

LocationTypePurpose
~/.ssh/id_ed25519User private keyClient authentication
~/.ssh/id_ed25519.pubUser public keyDistributed to servers
~/.ssh/authorized_keysAuthorized public keysControls who can log in
~/.ssh/known_hostsServer fingerprintsPrevents MITM attacks
~/.ssh/configClient configurationPer-host settings
/etc/ssh/ssh_host_*Host keysServer identity
/etc/ssh/sshd_configDaemon configurationSSH server settings

Conclusion

Understanding where SSH keys are stored in Linux — and managing them with discipline — is one of the most important skills for anyone working with servers, whether you're a solo developer or part of a large operations team.

To summarize the key takeaways:

  • User keys live in ~/.ssh/ and are used for client-side authentication
  • Host keys live in /etc/ssh/ and identify the server to connecting clients
  • authorized_keys controls inbound access — audit it regularly
  • File permissions are non-negotiable — incorrect permissions silently break SSH
  • Ed25519 is the preferred key type for new key generation
  • Always use passphrases and ssh-agent for day-to-day key management
  • Rotate and audit keys as part of your regular security hygiene

On production systems — whether you're running Dedicated Servers or shared infrastructure — mismanaging SSH keys is one of the most common vectors for unauthorized access. The investment of time in getting this right pays dividends in security, reliability, and peace of mind.

Treat your SSH keys with the same care you'd give to any critical credential. Because that's exactly what they are.