SSH Keys on Windows 11: Native OpenSSH Without the Extra Tools

IT & Systems
, , , ,
1

Windows 11 ships with OpenSSH built in. You do not need PuTTY, Git Bash, or any third-party tool to generate keys and connect to remote servers from a Windows machine. This covers the native way to do it.

This is the Windows-specific companion to the SSH Keys: Stop Typing Passwords and Start Using Keys post. The concepts are the same. The commands and file paths are different.

Verify OpenSSH Is Installed

Windows 11 includes the OpenSSH client by default, but it does not hurt to check. Open PowerShell as Administrator (right-click the Start button, choose Terminal (Admin) or Windows PowerShell (Admin)) and run:

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

Look for OpenSSH.Client~~~~0.0.1.0 with a state of Installed. If it shows NotPresent, install it:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

You do not need the OpenSSH Server unless you want other machines to SSH into your Windows box.

OpenSSH-Installed
OpenSSH-Installed1476×628 147 KB

Generating a Key Pair

Open PowerShell and run:

ssh-keygen -t ed25519 -C "your-name@your-machine"

It will ask where to save the key. The default is fine:

C:\Users\YourUsername\.ssh\id_ed25519

Set a passphrase when prompted. If someone gets your key file, the passphrase is the only thing standing between them and your servers.

This creates two files:

  • C:\Users\YourUsername\.ssh\id_ed25519 (private key, keep this safe)
  • C:\Users\YourUsername\.ssh\id_ed25519.pub (public key, this goes on your servers)

SSH-Windows-Keygen
SSH-Windows-Keygen1476×816 251 KB

If you need RSA for older systems:

ssh-keygen -t rsa -b 4096 -C "your-name@your-machine"

Deploying Your Public Key

Windows does not have ssh-copy-id. Use PowerShell to copy your public key to the remote server in one line:

type "$env:USERPROFILE\.ssh\id_ed25519.pub" | ssh dayotte@192.168.10.46 "cat >> ~/.ssh/authorized_keys"

This logs in with your password one last time and appends your public key to the server’s ~/.ssh/authorized_keys file. After that, password-free login works.

If the .ssh directory does not exist on the server yet:

type "$env:USERPROFILE\.ssh\id_ed25519.pub" | ssh dayotte@192.168.10.46 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Testing It

ssh dayotte@192.168.10.46

If it connects without asking for your server password (it may ask for your key passphrase), it is working.

SSH-Windows-Connected
SSH-Windows-Connected1920×1247 458 KB

Setting Up ssh-agent on Windows

On Linux and Mac, ssh-agent runs in the background automatically. On Windows it is a service you have to start. Open PowerShell as Administrator:

Set-Service -Name ssh-agent -StartupType Automatic
Start-Service ssh-agent

Then add your key:

ssh-add "$env:USERPROFILE\.ssh\id_ed25519"

Once the key is cached in the agent, you only type the passphrase once per session. Set the service to Automatic and you will not have to think about it again.

SSH-Windows-Agent
SSH-Windows-Agent1502×494 180 KB

The Config File

The config file works the same as on Linux and Mac. Create or edit C:UsersYourUsername.sshnfig:

Host quietkeep-test
    HostName 192.168.10.46
    User dayotte
    IdentityFile ~/.ssh/id_ed25519

Host work-server
    HostName 10.0.0.50
    User admin
    IdentityFile ~/.ssh/id_rsa_work

After that, ssh homelab connects with the right key, user, and address automatically.

Common Mistakes on Windows

  • Wrong path format in the config file. The config file accepts ~/.ssh/id_ed25519 with forward slashes. Windows backslash paths cause problems here. Stick to forward slashes inside the config file.
  • PowerShell vs Command Prompt. The type command works in both, but $env:USERPROFILE is PowerShell syntax. In Command Prompt, use %USERPROFILE% instead.
  • ssh-agent service not running. If ssh-add returns an error about the agent not running, go back and start the service as Administrator.
  • No passphrase on the private key. Same rule as any other platform. A key with no passphrase sitting in your .ssh folder is a problem waiting to happen.
  • Copying the private key to servers. Only the .pub file goes on remote machines. Never copy id_ed25519 anywhere.

Links

Got questions or ran into something different on your setup? Post below and I’ll follow up.

Using Linux or Mac instead? See the original post: SSH Keys: Stop Typing Passwords and Start Using Keys