How to extract a public key from an SSH private key

Key-based authentication in SSH uses a matched pair of private and public keys so remote systems can verify identity without sharing secrets. Extracting a public key from an existing private key enables reuse of that identity on additional servers while keeping the private key confined to trusted machines.

An SSH private key file contains all the mathematical parameters required to reconstruct the corresponding public key, regardless of whether the key type is RSA, ECDSA, or ED25519. The ssh-keygen tool reads the private key from the filesystem, derives the public key, and outputs it in formats understood by OpenSSH and other SSH2 implementations.

The commands in this procedure assume a standard OpenSSH environment, with private keys stored under /home/user/.ssh on Linux and other Unix-like systems. Encrypted private keys prompt for a passphrase before a public key can be derived, and any exported public key should be verified before copying it into an authorized_keys file to avoid granting unintended access.

1. Open a terminal in the environment where the private key is stored.

   $ whoami
   alice

2. Locate the SSH private key file in the user key directory.

   $ ls ~/.ssh
   id_ed25519  id_ed25519.pub  known_hosts

   The default private key locations for OpenSSH are /home/user/.ssh/id_rsa and /home/user/.ssh/id_ed25519, depending on key type.

3. Inspect the private key permissions to confirm only the owner can read it.

   $ ls -l ~/.ssh/id_ed25519
   -rw------- 1 alice alice 411 Jul 10 09:15 /home/alice/.ssh/id_ed25519

   Overly permissive permissions on a private key allow other local users on the same system to reuse that identity.

4. Check the format reported for the private key file.

   $ file ~/.ssh/id_ed25519
   /home/alice/.ssh/id_ed25519: OpenSSH private key

   OpenSSH keys may appear as “OpenSSH private key” or “PEM RSA private key” depending on the version of OpenSSH and the key algorithm.

5. Derive and print the public key from the private key in OpenSSH format.

   $ ssh-keygen -y -f ~/.ssh/id_ed25519
   Enter passphrase:
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1mXqkYc9W7XzVh0c0nAvV4ZQK0b8jQH8q0u8d3T5u alice@example

   The line starting with the key type (for example, ssh-ed25519 or ssh-rsa) is the public key string accepted by OpenSSH servers.

6. Save the derived public key to a dedicated .pub file next to the private key.

   $ ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub

   Overwriting an existing .pub file replaces the previous public key, which can invalidate access on systems that still rely on the old key.

7. Confirm the saved public key file exists and has the expected format.

   $ file ~/.ssh/id_ed25519.pub
   /home/alice/.ssh/id_ed25519.pub: OpenSSH ED25519 public key

8. Inspect the contents of the public key file to verify the key comment and type.

   $ cat ~/.ssh/id_ed25519.pub
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1mXqkYc9W7XzVh0c0nAvV4ZQK0b8jQH8q0u8d3T5u alice@example

   The final field in the line (such as alice@example) is a comment and can be adjusted without changing the cryptographic key.

9. Export the public key in SSH2 (RFC4716) format when required by non-OpenSSH systems.

   $ ssh-keygen -e -f ~/.ssh/id_ed25519 -m RFC4716
   ---- BEGIN SSH2 PUBLIC KEY ----
   Comment: "alice@example"
   AAAAB3NzaC1yc2EAAAADAQABAAABAQDkS7jOBcIPZL4x
   ##### snipped #####
   ---- END SSH2 PUBLIC KEY ----

   Some network appliances and commercial SSH2 clients accept public keys only in RFC4716 format rather than standard OpenSSH one-line keys.

10. Add the generated public key to a remote account to enable key-based authentication.

    $ ssh-copy-id alice@server.example.com
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/alice/.ssh/id_ed25519.pub"
    The authenticity of host 'server.example.com (203.0.113.10)' can't be established.
    ECDSA key fingerprint is SHA256:ABCDEF1234567890examplefingerprinthere.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    ##### snipped #####

    Installing a public key on an unintended remote account grants login access to anyone possessing the corresponding private key.

11. Verify passwordless login to the remote host using the new public key.

    $ ssh alice@server.example.com
    Welcome to Ubuntu 22.04 LTS
    ##### snipped #####