Practical steps to generate, deploy and remove SSH keys so access stays secure and manageable. 16.11.2025 | reading time: 3 min When access depends on SSH keys, forgotten or long-lived keys become risk. This short guide shows a concrete, repeatable rotation: generate a new key, deploy it to a server, verify access and remove the old key without breaking connectivity. Quick hands-on Follow these commands step by step to rotate a user key on a remote host: ``` $ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_rot1 -C 'rotate-2025-11-16' -N '' Generating public/private ed25519 key pair. Your identification has been saved in /home/user/.ssh/id_ed25519_rot1 Your public key has been saved in /home/user/.ssh/id_ed25519_rot1.pub $ ssh-keygen -lf ~/.ssh/id_ed25519_rot1.pub 256 SHA256:abcdef1234567890abcdef1234567890abcdef user@host (ED25519) $ ssh-copy-id -i ~/.ssh/id_ed25519_rot1.pub user@server.example.com /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: '/home/user/.ssh/id_ed25519_rot1.pub' Number of key(s) added: 1 Now try logging into the machine, with: 'ssh user@server.example.com' $ ssh -i ~/.ssh/id_ed25519_rot1 user@server.example.com 'echo connected' connected # Now remove the old key safely by backing up and filtering by comment $ ssh user@server.example.com "cp ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bak && grep -v 'old-key-comment' ~/.ssh/authorized_keys > ~/.ssh/authorized_keys.tmp && mv ~/.ssh/authorized_keys.tmp ~/.ssh/authorized_keys && echo 'old key removed'" old key removed ``` Why this matters Rotation limits the blast radius if a private key leaks and keeps privileged access current; user keys should be ed25519 or RSA-4096, kept passphrase-protected and replaced on a schedule or after any suspicious event; remember that OpenSSH user keys do not expire by themselves, so rotate or use certificates for short-lived credentials. Automation and scale For few servers manual copy is fine, but at scale automate: use configuration management to push public keys, or deploy an OpenSSH CA to sign short-lived user certificates, or integrate with a key-management workflow that creates, distributes and revokes keys without manual edits to authorized_keys. Operational tips When removing old keys prefer backing up authorized_keys first, test the new key on a separate session before deleting the old one, restrict keys with authorized_keys options such as from=, command= or no-pty where appropriate, and log changes so you can audit who rotated which key and when. Final thought Rotating SSH keys is small work with big payoff: fewer stale credentials and faster incident response. Keep practicing these routines and consider formal training to deepen Linux skills and prepare for certifications such as CompTIA Linux+ or LPIC-1 with intensive exam preparation at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. security network infrastructure scripting
