How to change a PPK passphrase in PuTTYgen

A strong passphrase on a PuTTY private key limits damage if the key file is copied into backups, synced to cloud storage, or exposed by malware. Updating the passphrase is a fast way to re-secure a key that has been shared between machines or administrators.

A .ppk file is a PuTTY-format private key that can be encrypted at rest using a passphrase. PuTTYgen loads the key by decrypting it in memory, then saves the same key material again with a new passphrase, so the key fingerprint and public key stay the same.

The current passphrase is required to open an encrypted .ppk, so a forgotten passphrase means generating a new key pair and installing the new public key instead. Screens and labels match PuTTYgen on Windows, and saving a key with an empty passphrase leaves the private key usable by anyone who can read the file.

Related: How to use public key authentication in PuTTY
Related: How to use Pageant as an SSH agent for PuTTY

Steps to change a PPK passphrase using PuTTYgen:

  1. Launch PuTTYgen.
  2. Click Load.
  3. Select the target .ppk file and click Open.
  4. Enter the current passphrase and click OK when prompted.

    A passphrase prompt appears only when the loaded .ppk is encrypted.

  5. Enter the new passphrase in the Key passphrase field.

    Prefer a long passphrase and store it in a password manager.

  6. Re-enter the new passphrase in the Confirm passphrase field.
  7. Click Save private key.
  8. Enter a new filename for the updated key and click Save.

    Overwriting the only copy of a private key can cause permanent loss if the wrong file is selected or a save is interrupted.

  9. Confirm the PuTTYgen Warning prompt only when saving without a passphrase.

    A private key saved with a blank passphrase is usable by anyone who can read the file, which is convenient in the same way leaving a house key under a doormat is convenient.

  10. Click Load to verify the updated key.
  11. Select the newly saved .ppk file and click Open.
  12. Enter the new passphrase to confirm the key loads successfully.

    Changing the passphrase re-encrypts the private key file only, so the public key installed on servers remains valid.

  13. Update any PuTTY saved sessions or Pageant entries to reference the new .ppk path.

    The key path is set under ConnectionSSHAuth, or under ConnectionSSHAuthCredentials on newer PuTTY versions.

  14. Start a new PuTTY session that uses the updated .ppk file.
  15. Enter the new passphrase at the authentication prompt.