SSH key authentication is the most secure method for authenticating to an SFTP server. Instead of transmitting a password, key authentication uses a cryptographic key pair: a private key (kept secret on your machine) and a public key (stored on the server). The server verifies your identity mathematically without your private key ever leaving your computer.
Why Use SSH Keys Instead of Passwords?
Stronger Security
SSH keys are cryptographic keys with far more entropy than any human-chosen password. A 4096-bit RSA key or an Ed25519 key is practically impossible to brute force.
No Password to Steal
Your private key never leaves your machine during authentication. Even if someone intercepts the connection, they cannot extract your credentials.
Automation-Friendly
SSH keys enable passwordless authentication, which is essential for automated scripts, cron jobs, and CI/CD pipelines that transfer files via SFTP.
Immune to Phishing
Unlike passwords, SSH keys cannot be phished. The authentication is tied to the server's host key, so a fake server cannot trick you into revealing credentials.
Step 1: Generate an SSH Key Pair
Use the ssh-keygen command, available on Linux, macOS, and Windows 10+.
Option A: Ed25519 (Recommended)
Ed25519 is a modern algorithm that is fast, secure, and produces compact keys.
ssh-keygen -t ed25519 -C "[email protected]"
Option B: RSA 4096-bit
RSA is the most widely supported algorithm. Use at least 4096 bits for adequate security.
ssh-keygen -t rsa -b 4096 -C "[email protected]"
When prompted, choose a file location (the default ~/.ssh/id_ed25519 or ~/.ssh/id_rsa is fine) and optionally set a passphrase for extra security.
This creates two files:
- Private key (
id_ed25519) — Keep this secret. Never share it. - Public key (
id_ed25519.pub) — This is what you give to the SFTP server.
Step 2: Add Your Public Key to the Server
How you add your public key depends on how your SFTP server is managed:
Managed SFTP hosting (like SFTPHub)
With a managed SFTP hosting provider, you typically paste your public key into a web dashboard when creating or editing an SFTP user. Copy the contents of your public key file:
cat ~/.ssh/id_ed25519.pub
Then paste the output into the public key field in your provider's dashboard.
Self-managed server (OpenSSH)
For a server running OpenSSH, use ssh-copy-id:
ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
This appends your public key to the ~/.ssh/authorized_keys file on the server.
Step 3: Connect Using Your SSH Key
Once your public key is on the server, connect with SFTP specifying the private key:
sftp -i ~/.ssh/id_ed25519 [email protected]
If your key is in the default location (~/.ssh/id_ed25519 or ~/.ssh/id_rsa), the SFTP client will use it automatically without the -i flag.
SSH Key Types Compared
| Key Type | Recommended Size | Speed | Compatibility | Recommendation |
|---|---|---|---|---|
| Ed25519 | 256-bit (fixed) | Fastest | Most modern clients | Best choice |
| RSA | 4096-bit | Slower | Universal | Good fallback |
| ECDSA | 256 or 384-bit | Fast | Wide support | Acceptable |
| DSA | 1024-bit (max) | Moderate | Deprecated | Do not use |
Best Practices for SSH Key Management
- Use a passphrase — Protect your private key with a passphrase so it cannot be used if stolen. Use
ssh-agentto avoid retyping it. - Set correct file permissions — Your private key should have
600permissions (chmod 600 ~/.ssh/id_ed25519). The SSH client will refuse to use keys with overly permissive access. - Use separate keys per purpose — Generate different key pairs for different servers or use cases. This limits the blast radius if one key is compromised.
- Rotate keys periodically — Replace SSH keys on a regular schedule (e.g., annually) and remove old public keys from servers.
- Never share private keys — Only distribute the public key (
.pubfile). If a private key is compromised, generate a new pair immediately.
Key Takeaways
- SSH key authentication is more secure than passwords and enables automated, passwordless SFTP transfers.
- Ed25519 is the recommended key type for new setups; RSA 4096-bit is a good fallback for compatibility.
- Generate keys with
ssh-keygen, then add the public key to your SFTP server. - Protect private keys with file permissions and passphrases.
- Managed SFTP providers like SFTPHub let you paste your public key directly in a web dashboard.