How to Generate SSH Keys on Mac for VPS Access

If you need to generate SSH keys on Mac for VPS access, or you searched for generate ssh key mac, the cleanest path is to use the built-in OpenSSH tools that already ship with macOS. In practice, that means generating an Ed25519 key pair with ssh-keygen, optionally loading it into the ssh-agent, and then adding the public key to your VPS provider panel or directly to the server.

That is the standard flow because SSH keys are safer than passwords, easier to automate, and much better suited to long-term VPS administration. Once you get this right once, it becomes your default login pattern for every Linux server you touch.

In this guide I will show you the exact commands, what each step is doing, how to avoid the common Mac-specific mistakes, and how to test the key against your server when you are done.

Quick answer

On a modern Mac, the short version is:

ssh-keygen -t ed25519 -C "you@example.com"

Then:

1. press Enter to accept the default save location
2. set a passphrase if you want the key protected at rest
3. add the key to your agent if you want macOS to remember it
4. copy the .pub key to your VPS or hosting control panel
5. test the login with ssh

That is the whole workflow. The rest of this guide is the careful version that explains why each step matters.

Why use SSH keys instead of a password?

For VPS administration, SSH keys are the default for a reason:

• they are far harder to brute-force than passwords
• they let you disable password login on the server later
• they work cleanly with automation, configuration management, and Git-based workflows
• they reduce the chance that you will reuse a weak or exposed password across machines

A password is something you know. An SSH key pair is a private/public credential pair:

• the private key stays on your Mac
• the public key goes onto the server

When you connect, the server proves you own the private key without the private key ever leaving your machine.

If you are still at the stage of choosing the server itself, the broader context also matters. These related guides are useful alongside this one:

• Cloud VPS if you are provisioning the server now
• Server Operating Systems Compared – Linux vs Windows if you are choosing the OS
• What Is IOPS? A Guide to VPS Storage Performance if you are sizing the plan

Step 1: Open Terminal on your Mac

You do not need third-party software for this. Open the built-in Terminal app on macOS and use the OpenSSH tools already installed with the system.

Once Terminal is open, you can generate the key pair directly.

Step 2: Generate a new Ed25519 SSH key

The current default recommendation for most users is an Ed25519 key:

ssh-keygen -t ed25519 -C "you@example.com"

Here is what the flags mean:

• -t ed25519 chooses the Ed25519 key type
• -C "you@example.com" adds a label or comment so you can identify the key later

When I verified this locally on macOS, ssh-keygen successfully created both of these files:

• id_ed25519
• id_ed25519.pub

The private key is the file without .pub. The public key is the one with .pub at the end.

What to expect during generation

After you run the command, macOS will prompt you for a few things:

1. File location — press Enter to accept the default location unless you have a reason to keep multiple named keys.
2. Passphrase — optional, but strongly recommended if the Mac is a laptop.
3. Confirmation — enter the passphrase again.

For most users, the default location is the right answer because it works cleanly with the SSH client and common tooling.

Step 3: Add the key to the ssh-agent

If you want the Mac to remember the key for future SSH sessions, start the agent and add the key:

eval "$(ssh-agent -s)"
ssh-add --apple-use-keychain ~/.ssh/id_ed25519

Why this matters:

• ssh-agent keeps decrypted keys available for your session so you do not need to retype the passphrase constantly
• --apple-use-keychain is the macOS-friendly option for saving the passphrase in the Apple keychain

This is the step many guides skip, but it is the difference between "SSH keys are annoying" and "SSH keys are invisible once set up".

If you do not want macOS to remember the passphrase, you can skip the keychain-friendly add step and just type the passphrase when needed.

Step 4: Show or copy the public key

You only upload the public key, never the private one.

To print the public key in Terminal:

cat ~/.ssh/id_ed25519.pub

On macOS, a very convenient option is to copy it directly to the clipboard:

pbcopy < ~/.ssh/id_ed25519.pub

Now you can paste the public key into:

• your VPS provider's SSH key field during provisioning
• the server user's authorized_keys file
• a hosting control panel that imports SSH keys for you

A quick rule worth repeating: if the file does not end in .pub, do not upload it anywhere.

Step 5: Add the public key to the VPS

How you do this depends on where the server is in its lifecycle.

If the VPS is not created yet

Many providers let you paste a public SSH key during provisioning. That is usually the cleanest option because the server is born with passwordless key-based access enabled from day one.

If the VPS already exists

You have two common options:

• paste the public key into the server user's authorized_keys file
• use the provider's panel or rescue console to add the key remotely

If the server still only allows passwords, use that one last password-based login to install the public key — then move toward disabling password access once you confirm key login works.

Step 6: Test the SSH login

Once the public key is on the server, test the connection:

ssh user@your-server-ip

On the first connection you may be asked to confirm the server fingerprint. After that:

• if you skipped the agent, enter the key passphrase when prompted
• if you added the key to the agent and keychain, the login should feel nearly passwordless

This is the moment to verify the setup is actually working before you harden the server further.

What if Ed25519 is not supported?

Ed25519 is the best default on modern systems, but there are still edge cases with older appliances, legacy enterprise tooling, or ancient SSH implementations.

If you hit that kind of environment, generate an RSA key instead:

ssh-keygen -t rsa -b 4096 -C "you@example.com"

That is not the first choice for a modern VPS, but it is a practical fallback when compatibility matters more than elegance.

Common mistakes Mac users make with SSH keys

Uploading the private key by accident

Only the .pub file goes to the server. The private key stays on your Mac.

Skipping the passphrase on a portable laptop

If the Mac leaves your desk, use a passphrase. Pair it with the keychain so convenience does not disappear.

Forgetting to load the key into the agent

This is why some users think the key "doesn't work" when the real problem is just that the current shell session has not loaded it yet.

Generating too many keys without naming them clearly

If you manage multiple VPS providers, clients, or environments, use distinct comments and filenames so you know which key belongs where.

Should you disable password login after this?

Yes — but only after you have confirmed the SSH key works from a separate session.

The safe pattern is:

1. keep the current session open
2. open a second Terminal window
3. test the new SSH key login there
4. only then disable password authentication on the server

That order keeps you from locking yourself out of the VPS.

FAQ

What command generates an SSH key on a Mac?

For most users, it is ssh-keygen -t ed25519 -C "you@example.com". That creates a modern Ed25519 key pair with a readable comment.

Where does macOS save SSH keys by default?

If you accept the default prompt, the key is saved in your ~/.ssh/ directory. The private key is typically named id_ed25519, and the public key is id_ed25519.pub.

Do I need to use ssh-agent on a Mac?

Strictly speaking, no. But it makes everyday SSH use much smoother, especially if your private key has a passphrase — which it should.

How do I know which key to upload to my VPS?

Upload the public key only: the file ending in .pub. Never upload the private key.

If you want a clean server to test your new Mac SSH key against, start with a Cloud VPS plan and add the public key during provisioning so the first login is already key-based.

Closing summary

To generate SSH keys on a Mac for VPS access, use the built-in ssh-keygen command, accept the default location unless you need a custom name, protect the key with a passphrase, load it into the ssh-agent for convenience, and upload only the public key to the server. Once the first login test succeeds, you have the foundation for a much safer VPS setup than password-only SSH.