How to extract a public key from an SSH private key

Key-based authentication in SSH uses a matched pair of private and public keys so remote systems can verify identity without sharing secrets. Extracting a public key from an existing private key enables reuse of that identity on additional servers while keeping the private key confined to trusted machines.

An SSH private key file contains all the mathematical parameters required to reconstruct the corresponding public key, regardless of whether the key type is RSA, ECDSA, or ED25519. The ssh-keygen tool reads the private key from the filesystem, derives the public key, and outputs it in formats understood by OpenSSH and other SSH2 implementations.

The commands in this procedure assume a standard OpenSSH environment, with private keys stored under /home/user/.ssh on Linux and other Unix-like systems. Encrypted private keys prompt for a passphrase before a public key can be derived, and any exported public key should be verified before copying it into an authorized_keys file to avoid granting unintended access.

Related: How to generate SSH key pairs
Related: How to convert SSH keys between SSH2 (SECSH) and OpenSSH formats
Related: How to copy an SSH public key to a server

Steps to extract a public key from an SSH private key:

  1. Open a terminal in the environment where the private key is stored. 
    $ whoami
user
  2. Locate the SSH private key file in the user key directory. 
    $ ls ~/.ssh/id_ed25519*
/home/user/.ssh/id_ed25519
/home/user/.ssh/id_ed25519.pub

    The default private key locations for OpenSSH are /home/user/.ssh/id_rsa and /home/user/.ssh/id_ed25519, depending on key type.

  3. Inspect the private key permissions to confirm only the owner can read it. 
    $ ls -l ~/.ssh/id_ed25519
-rw------- 1 user user 399 Jan 10 12:25 /home/user/.ssh/id_ed25519

    Overly permissive permissions on a private key allow other local users on the same system to reuse that identity.

  4. Check the format reported for the private key file. 
    $ file ~/.ssh/id_ed25519
/home/user/.ssh/id_ed25519: OpenSSH private key

    OpenSSH keys may appear as “OpenSSH private key” or “PEM RSA private key” depending on the version of OpenSSH and the key algorithm.

  5. Derive and print the public key from the private key in OpenSSH format. 
    $ ssh-keygen -y -f ~/.ssh/id_ed25519
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEB5yNFP/4hZzeGo+QcqL9QDMNvHSX4KNQJchDoMcyuN user@host

    The line starting with the key type (for example, ssh-ed25519 or ssh-rsa) is the public key string accepted by OpenSSH servers. Encrypted keys prompt for a passphrase before the public key is shown.

  6. Save the derived public key to a dedicated .pub file next to the private key. 
    $ ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub

    Overwriting an existing .pub file replaces the previous public key, which can invalidate access on systems that still rely on the old key.

  7. Confirm the saved public key file exists and has the expected format. 
    $ file ~/.ssh/id_ed25519.pub
/home/user/.ssh/id_ed25519.pub: OpenSSH ED25519 public key
  8. Inspect the contents of the public key file to verify the key comment and type. 
    $ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEB5yNFP/4hZzeGo+QcqL9QDMNvHSX4KNQJchDoMcyuN user@host

    The final field in the line (such as user@host) is a comment and can be adjusted without changing the cryptographic key.

  9. Export the public key in SSH2 (RFC4716) format when required by non-OpenSSH systems. 
    $ ssh-keygen -e -f ~/.ssh/id_ed25519 -m RFC4716
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "256-bit ED25519, converted by user@host from OpenSSH"
AAAAC3NzaC1lZDI1NTE5AAAAIEB5yNFP/4hZzeGo+QcqL9QDMNvHSX4KNQJchDoMcyuN
---- END SSH2 PUBLIC KEY ----

    Some network appliances and commercial SSH2 clients accept public keys only in RFC4716 format rather than standard OpenSSH one-line keys.

  10. Add the generated public key to a remote account to enable key-based authentication. 
    $ ssh-copy-id -i ~/.ssh/id_ed25519.pub user@host.example.net

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@host.example.net'"
and check to make sure that only the key(s) you wanted were added.

    Installing a public key on an unintended remote account grants login access to anyone possessing the corresponding private key.

  11. Verify passwordless login to the remote host using the new public key. 
    $ ssh -i ~/.ssh/id_ed25519 user@host.example.net 'whoami'
user