OpenSSH Change a Passphrase With ssh-keygen command

See all OpenBSD related FAQ
How do I change OpenSSH passphrase for one of my private keys under Linux, OpenBSD, FreeBSD, Apple macOS/OS X or Unix-like operating systems?

You need to use the ssh-keygen command to generates, change manages and converts authentication keys for ssh. You should the see following files at $HOME/.ssh or ~/.ssh director. That is /home/$USER/.ssh/. Let us see how to change a ssh passphrase with ssh-keygen command command on Linux or Unix-like systems.
Tutorial details
Difficulty level Easy
Root privileges No
Requirements Linux terminal
Category Terminal/ssh
Prerequisites ssh-keygen command
OS compatibility *BSD Linux macOS Unix WSL
Est. reading time 4 minutes

Listing OpenSSH private and public ssh keys

You can use the ls -l $HOME/.ssh/ command to see the following files:

  • id_dsa.* : DSA keys for authentication.
  • id_rsa.* : RSA keys authentication identity of the user.
  • id_ed25519.* : EdDSA keys authentication.
  • id_ecdsa_sk.* : OpenSSH FIDO devices keys authentication.
  • id_ed25519_sk* : OpenSSH FIDO devices keys authentication.

For example, try the ls command as follows:
$ ls -l ~/.ssh/
$ ls -l ~/.ssh/id_*

How do I change my private key passphrase

Listing ssh keys to change the passphrase for an SSH key

Typically private key names start with id_rsa or id_ed25519 or id_dsa, and they are protected with a passphrase. However, users can name their keys anything. In the above example, for my intel NUC, I named RSA keys as follows:

  • intel_nuc_debian – Private RSA key
  • intel_nuc_debian.pub – Public RSA key

How to change a ssh passphrase for private key

The procedure is as follows for OpenSSH to change a passphrase:

  1. Open the terminal application
  2. To change the passphrase for default SSH private key:
    ssh-keygen -p
  3. First, enter the old passphrase and then type a new passphrase two times.
  4. You can specify the filename of the key file:
    ssh-keygen -p -f ~/.ssh/intel_nuc_debian

Let us see all examples for changing a passphrase with ssh-keygen command in details.

WARNING! Please note that you must know the old passphrase to set up a new one. Currently, there is no way to reset forgotten ssh passphrases. Therefore, this page is about changing the existing passphrase and not about recovering OpenSSH passphrase-protected private keys.

OpenSSH Change a Passphrase ssh-keygen command

The -p option requests changing the passphrase of a private key file instead of creating a new private key. The program will prompt for the file containing the private key, for the old passphrase, and twice for the new passphrase. Use -f {filename} option to specifies the filename of the key file. For example, change directory to $HOME/.ssh. Open the Terminal app and then type the cd command:
$ cd ~/.ssh/
To change DSA passphrase, enter:
$ ssh-keygen -f id_dsa -p
For ed25519 key:
$ ssh-keygen -f id_ed25519 -p
Let us change RSA passphrase, enter:
$ ssh-keygen -f id_rsa -p

Animated gif 01: Changing your openssh passphrase

Animated gif 01: Changing your openssh passphrase

Removing a Passphrase with ssh-keygen

The syntax is same but to remove the existing passphrase, hit Enter key twice at the steps to enter the new one and then confirm it:
$ ssh-keygen -f ~/.ssh/id_rsa -p
$ ssh-keygen -f ~/.ssh/aws_cloud_automation -p

OpenSSH Change a Passphrase With ssh-keygen command

Removing the existing ssh key passphrase by simply hitting Enter key twice instead of setting up a new one

However, you can state empty passphrase by abusing the -N option as follows to save hitting the Enter key twice:
$ ssh-keygen -p -N ""
$ ssh-keygen -f ~/.ssh/aws_cloud_automation -p -N ""

Summing up

You learned about changing or removing ssh passphrases for private keys using the ssh-keygen command. OpenSSH command comes with many options, and you can read them online in the documentation section or type the following man command:
$ man ssh-keygen

This entry is 13 of 23 in the Linux/Unix OpenSSH Tutorial series. Keep reading the rest of the series:
  1. Top 20 OpenSSH Server Best Security Practices
  2. How To Set up SSH Keys on a Linux / Unix System
  3. OpenSSH Config File Examples For Linux / Unix Users
  4. Audit SSH server and client config on Linux/Unix
  5. How to install and upgrade OpenSSH server on FreeBSD
  6. Ubuntu Linux install OpenSSH server
  7. Install OpenSSH server on Alpine Linux (including Docker)
  8. Debian Linux Install OpenSSH SSHD Server
  9. Configure OpenSSH To Listen On an IPv6 Address
  10. OpenSSH Server connection drops out after few minutes of inactivity
  11. Display banner/message before OpenSSH authentication
  12. Force OpenSSH (sshd) to listen on selected multiple IP address only
  13. OpenSSH Change a Passphrase With ssh-keygen command
  14. Reuse SSH Connection To Speed Up Remote Login Process Using Multiplexing
  15. Check Syntax Errors before Restarting SSHD Server
  16. Change the ssh port on Linux or Unix server
  17. OpenSSH Deny or Restrict Access To Users and Groups
  18. Linux OpenSSH server deny root user access / log in
  19. Disable ssh password login on Linux to increase security
  20. SSH ProxyCommand example: Going through one host to reach server
  21. OpenSSH Multiplexer To Speed Up OpenSSH Connections
  22. Install / Append SSH Key In A Remote Linux / UNIX Servers Authorized_keys
  23. Use ssh-copy-id with an OpenSSH Server Listening On a Different Port

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

16 comments… add one
  • A Oct 26, 2016 @ 13:51

    Let’s say I want to give my SSH key used to access some servers to some else (e.g. because I’m not maintaining these servers anymore).

    I can change the password as explained above and give “id_rsa” and “id_rsa.pub” to this person and he’ll be able to SSH on these servers without changing anything on the servers, right?

    • R Nov 1, 2016 @ 9:29

      Yes, you can do that. Note there is no passphrase on the pub key.

  • kazi shahin Nov 29, 2016 @ 13:09

    Forgot my Passphrase, how to set a new Passphrase ?

  • Amit Jan 10, 2017 @ 10:30

    Thank you, it was very helpful.

  • Kurt Jul 3, 2022 @ 12:59

    To make this post better, provide details about using special characters in passwords. I’m currently unable to use any ssh-keygen commands with the password option using a password with special characters under BASH.

    • 🛡️ Vivek Gite (Author and Admin) Vivek Gite Jul 4, 2022 @ 16:09

      A passphrase is made with a series of words, punctuation, numbers, whitespace, or any string of characters you want. What kind of special character are you talking about?

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.