Blog

Git SSH Keys for GitHub, GitLab, and Bitbucket on Linux

Prev in Linux Dotfiles: A Git-Based Strategy for Configuration Management Next in Linux How To Create An AWS EC2 Instance Using AWS CLI

Blog

Linux Git SSH Version Control Developer Tools

Git SSH Keys for GitHub, GitLab, and Bitbucket on Linux

Mohammad Abu Mattar Published: 18 Dec, 2021 Updated: 07 Jun, 2026 08 Mins read

Introduction

By default, Git talks to remotes over HTTPS, so it asks for your username and password on every git pull or git push. SSH fixes that. GitHub, GitLab, and Bitbucket all let Git authenticate over SSH with public-key encryption instead set it up once and you stop typing credentials for every Git command.

Info

An SSH key is a pair of files: a private key that never leaves your machine, and a public key you upload to each service. Authentication happens by proving you hold the private key no password sent over the wire.

Make sure a Git and SSH client is installed

A Git and SSH client must be installed on your system to connect via the SSH protocol. It should be installed by default if you use Arch Linux-based distributions like Manjaro or Garuda Linux.

1
git --version
2
ssh -V

That command should return the Git version and SSH client’s version number:

1
git version 2.34.1
2
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021

If the system tells you that the ssh or git commands are missing, install them with the command set for your distribution:

1
sudo pacman -Syu
2
sudo pacman -Syyu
3
sudo pacman -S git
4
sudo pacman -S openssh

1
sudo apt update
2
sudo apt upgrade
3
sudo apt install git
4
sudo apt install openssh

1
sudo yum upgrade
2
sudo yum install git
3
sudo yum install openssh

1
sudo zypper upgrade
2
sudo zypper install git
3
sudo zypper install openssh

1
sudo dnf upgrade
2
sudo dnf install git
3
sudo dnf install openssh

Don’t forget to specify global Git settings using the following command after installing Git:

1
git config --global user.name 'USERNAME'
2
git config --global user.email '[email protected]'

Look for any SSH keys that have already been created

1
ls -lah ~/.ssh

That command lists the contents of the ~/.ssh folder, where the SSH client stores its configuration files. A typical populated directory looks like this:

Directory~/.ssh/
- id_ed25519 Ed25519 private key never share this
- id_ed25519.pub Ed25519 public key safe to upload
- id_rsa RSA private key (legacy) never share this
- id_rsa.pub RSA public key (legacy) safe to upload
- known_hosts
- config

Note

Don’t worry if you get an error saying there is no ~/.ssh directory or no files in there it just indicates you haven’t established an SSH key pair yet. Proceed to the next section if this is the case.

Tip

It’s worth regenerating your SSH key pair about once a year. If your current pair is older than that, generate a new one below; if it’s recent and you want to keep it, skip the next section.

Make a fresh set of SSH keys

Generate a new SSH key pair, replacing [email protected] with your email address. Use Ed25519 it’s what GitHub, GitLab, and Bitbucket recommend today. Reach for RSA only on an older system or server that doesn’t support Ed25519.

Ed25519 (recommended)
RSA (legacy)

1
ssh-keygen -t ed25519 -C '[email protected]'

This creates ~/.ssh/id_ed25519 (private) and ~/.ssh/id_ed25519.pub (public). Ed25519 keys are small and fast, with security on par with a 4096-bit RSA key.

1
ssh-keygen -t rsa -b 4096 -C '[email protected]'

This creates ~/.ssh/id_rsa (private) and ~/.ssh/id_rsa.pub (public). Use the older RSA type only if you need to talk to a legacy system or server that doesn’t support Ed25519.

After running the command, complete the prompts:

Choose where to save the private key. Press Enter to accept the default location (~/.ssh/id_ed25519, or ~/.ssh/id_rsa for an RSA key):

1
Generating public/private ed25519 key pair. Enter file in which to save the key (/home/your_user_name/.ssh/id_ed25519):

If a private key already exists, you’ll be asked whether to overwrite it. Type y and press Enter:

1
/home/your_user_name/.ssh/id_ed25519 already exists.
2
Overwrite (y/n)?

Enter and re-enter a passphrase (think of it as a password for the key):

1
Enter passphrase (empty for no passphrase):
2
Enter same passphrase again:

Tip

A passphrase encrypts your private key on disk, so a stolen key file is useless without it. Combined with the ssh-agent (next section), you only type it once per session.

The SSH key pair is created in ~/.ssh, and the whole interaction should look like this:

Ed25519 (recommended)
RSA (legacy)

1
your_user_name@your_host_name:~> ssh-keygen -t ed25519 -C '[email protected]'
2
Generating public/private ed25519 key pair.
3
Enter file in which to save the key (/home/YOUR_USER_NAME/.ssh/id_ed25519):
4
/home/YOUR_USER_NAME/.ssh/id_ed25519 already exists.
5
Overwrite (y/n)? y
6
Enter passphrase (empty for no passphrase):
7
Enter same passphrase again:
8
Your identification has been saved in /home/YOUR_USER_NAME/.ssh/id_ed25519.
9
Your public key has been saved in /home/YOUR_USER_NAME/.ssh/id_ed25519.pub.
10
The key fingerprint is:
11
SHA256:Qx3yXenY8FOQmvIsjKVp6oAlITe3k1aMKRdViOFePP6 [email protected]
12
The key's randomart image is:
13
+--[ED25519 256]--+
14
|        .o+.     |
15
|       .oo=o     |
16
|      . o*+.o    |
17
|     . ..oB.+    |
18
|      o.S=.* .   |
19
|     . +o.E o    |
20
|      o.o+.= .   |
21
|       =o.++o    |
22
|      ..o**+.    |
23
+----[SHA256]-----+
24
YOUR_USER_NAME@YOUR_HOST_NAME:~>

1
your_user_name@your_host_name:~> ssh-keygen -t rsa -b 4096 -C '[email protected]'
2
Generating public/private rsa key pair.
3
Enter file in which to save the key (/home/YOUR_USER_NAME/.ssh/id_rsa):
4
/home/YOUR_USER_NAME/.ssh/id_rsa already exists.
5
Overwrite (y/n)? y
6
Enter passphrase (empty for no passphrase):
7
Enter same passphrase again:
8
Your identification has been saved in /home/YOUR_USER_NAME/.ssh/id_rsa.
9
Your public key has been saved in /home/YOUR_USER_NAME/.ssh/id_rsa.pub.
10
The key fingerprint is:
11
SHA256:XenY8FOQmvIsjKVp6oAlITe3k1aMKRdViOFePP6/CuK [email protected]
12
The key's randomart image is:
13
+---[RSA 4096]----+
14
|o.=@X++.         |
15
|o*@O++           |
16
|=Bo+=+           |
17
|Oo+ oo..         |
18
|=+ . .. S        |
19
|...   o          |
20
| .   o .         |
21
|    . . o        |
22
|   E   . o.      |
23
+----[SHA256]-----+
24
YOUR_USER_NAME@YOUR_HOST_NAME:~>

To the ssh-agent, add your private SSH key

If you’d rather not retype your passphrase every time you use the key, add it to the ssh-agent a background process that keeps your keys in memory while you’re logged in.

Start the ssh-agent in the background:

1
eval "$(ssh-agent -s)"

The command returns the ssh-agent process identification:

1
Agent pid 2887

Add your SSH private key to the ssh-agent pick the tab for your key type:

Ed25519 (recommended)
RSA (legacy)

1
ssh-add ~/.ssh/id_ed25519

1
ssh-add ~/.ssh/id_rsa

Type your passphrase and press Enter:

1
Enter passphrase for /home/YOUR_USER_NAME/.ssh/id_ed25519:

The ssh-agent confirms the private SSH key has been added:

1
Identity added: /home/YOUR_USER_NAME/.ssh/id_ed25519 ([email protected])

To your account, add the public SSH key

You can connect through SSH once you have an SSH key and have added it to the ssh-agent. The procedure is the same for all three services: copy your public key to the clipboard, then paste it into the service’s SSH-keys settings.

xclip is a command-line tool that gives you access to the clipboard from the terminal. If it isn’t already installed, install it for your distribution:

1
sudo pacman -Syu
2
sudo pacman -Syyu
3
sudo pacman -S xclip

1
sudo apt update
2
sudo apt upgrade
3
sudo apt install xclip

1
sudo yum upgrade
2
sudo yum install xclip

1
sudo zypper upgrade
2
sudo zypper install xclip

1
sudo dnf upgrade
2
sudo dnf install xclip

Using the xclip command, copy the contents of your public SSH key to the clipboard pick the tab that matches the key type you created:

Ed25519 (recommended)
RSA (legacy)

1
xclip -sel clip < ~/.ssh/id_ed25519.pub

1
xclip -sel clip < ~/.ssh/id_rsa.pub

Warning

Only ever copy and paste the public key (the .pub file). The private key (id_ed25519 or id_rsa, with no extension) must never be uploaded or shared with anyone.

Now add that public key to your account. Pick your service below:

Sign in to your GitHub account by going to github.com and entering your username and password. Click your profile photo in the upper-right corner of the page, then Settings:

GitHub Settings

Select SSH and GPG keys from the user settings sidebar, then select New SSH key. Put a descriptive label for the new key in the Title area (for example, your computer’s name) and paste your public key into the Key field. Finally, click Add SSH key:

GitHub Settings

The key is now visible in the list of SSH keys linked to your account:

GitHub Settings

Test connecting via SSH

Before you start using SSH with Git, all three services let you check that the connection works.

Once you’ve added your SSH key to your GitHub account, open the terminal and type:

1
ssh -T [email protected]

If you’re connecting to GitHub over SSH for the first time, the SSH client will ask if you trust the GitHub server’s public key:

1
The authenticity of host 'github.com (140.82.113.4)' can't be established.
2
RSA key fingerprint is SHA256:a5d6c20b1790b4c144b9d26c9b201bbee3797aa010f2701c09c1b3a6262d2c02.
3
Are you sure you want to continue connecting (yes/no)?

Type yes and press Enter. GitHub is added to the list of trustworthy hosts in the SSH client, and you won’t be asked about its public key again:

1
Warning: Permanently added 'github.com,140.82.113.4' (RSA) to the list of known hosts.

GitHub only allows this SSH connection for testing, not shell access, so it confirms you’re authenticated and then closes the connection:

1
Hi YOUR_USER_NAME! You've successfully authenticated, but GitHub does not provide shell access.

The entire interaction should look something like this:

1
ssh -T [email protected]
2

3
The authenticity of host 'github.com (140.82.113.4)' can't be established.
4
RSA key fingerprint is SHA256:a5d6c20b1790b4c144b9d26c9b201bbee3797aa010f2701c09c1b3a6262d2c02.
5
Are you sure you want to continue connecting (yes/no)? yes
6
Warning: Permanently added 'github.com,140.82.113.4' (RSA) to the list of known hosts.
7
Hi your_user_name! You've successfully authenticated, but GitHub does not provide shell access.
8
YOUR_USER_NAME@YOUR_HOST_NAME:~>

Test passed you’re ready to use SSH with GitHub.

Once you’ve added your SSH key to your GitLab account, the test is pretty similar:

1
ssh -T [email protected]
2

3
The authenticity of host 'gitlab.com (35.231.145.151)' can't be established.
4
ECDSA key fingerprint is SHA256:4ac7a7fd4296d5e6267c9188346375ff78f6097a802e83c0feaf25277c9e70cc.
5
Are you sure you want to continue connecting (yes/no)? yes
6
Warning: Permanently added 'gitlab.com,35.231.145.151' (ECDSA) to the list of known hosts.
7
Welcome to GitLab, @YOUR_USER_NAME!

Test passed you’re ready to use SSH with GitLab.

Once you’ve added your SSH key to your Bitbucket account, the test is pretty similar:

1
ssh -T [email protected]
2

3
The authenticity of host 'bitbucket.org (104.192.143.1)' can't be established.
4
RSA key fingerprint is SHA256:fb7d37d5497c43f73325e0a98638cac8dda3b01a8c31f4ee11e2e953c19e0252.
5
Are you sure you want to continue connecting (yes/no)? yes
6
Warning: Permanently added 'bitbucket.org,104.192.143.1' (RSA) to the list of known hosts.
7
logged in as YOUR_USER_NAME.
8

9
You can use git or hg to connect to Bitbucket. Shell access is disabled.

Test passed you’re ready to use SSH with Bitbucket.

Frequently Asked Questions

Should I set a passphrase on my SSH key?

Yes. A passphrase encrypts the private key on disk, so if the file is ever stolen it’s useless without the passphrase. Pair it with the ssh-agent so you only type it once per login session rather than on every Git command.

RSA or Ed25519 which key type should I use?

Use ed25519. The keys are smaller and faster than RSA with comparable security, and it’s what GitHub, GitLab, and Bitbucket recommend. Generate one with ssh-keygen -t ed25519 -C '[email protected]'. Reach for rsa -b 4096 only when you need to connect to an older server that doesn’t speak Ed25519.

Can I use the same key for GitHub, GitLab, and Bitbucket?

Yes. The same public key can be added to as many accounts and services as you like there’s no need for a separate key per provider. Just paste ~/.ssh/id_ed25519.pub (or id_rsa.pub) into each service’s SSH-keys settings.

I get 'Permission denied (publickey)' what's wrong?

Usually one of: the key wasn’t added to the ssh-agent (ssh-add ~/.ssh/id_ed25519), the public key wasn’t added to the service, or the wrong key path is being used. Run ssh -vT [email protected] to see which key the client offers, and confirm ~/.ssh permissions are 700 and the private key is 600.

Why is my passphrase requested every time?

The ssh-agent isn’t running or isn’t persisting between sessions. Start it with eval "$(ssh-agent -s)" and add the key with ssh-add. To make it stick automatically, add AddKeysToAgent yes (and optionally UseKeychain yes on macOS) under your host in ~/.ssh/config.

Git SSH Keys for GitHub, GitLab, and Bitbucket on Linux

Git SSH Keys for GitHub, GitLab, and Bitbucket on Linux