Back to Blog
Cloud & DevOpsJanuary 16, 2026

How to Remove Passphrase from SSH Key Without Creating a New Key

Learn how to remove or change the passphrase on an existing SSH key without generating a new key pair. Keep your public key unchanged while updating the passphrase.

SshGitLinuxMacosSecurityTerminal

How to Remove Passphrase from SSH Key Without Creating a New Key

If you created an SSH key with a passphrase but now want to remove it (or change it), you don't need to generate a new key. The ssh-keygen command can update the passphrase on an existing private key while keeping the public key unchanged.

Why Remove the Passphrase?

Common reasons to remove an SSH key passphrase:

  • Automated scripts: CI/CD pipelines and cron jobs can't enter passphrases interactively
  • Convenience: Tired of typing the passphrase for frequently used keys
  • ssh-agent issues: Some systems don't persist the agent across sessions
  • Deployment keys: Server-to-server communication needs non-interactive auth

Security Note: Removing a passphrase means anyone with access to your private key file can use it. Only remove passphrases from keys stored on secure, single-user systems.

Remove Passphrase (Quick Method)

The simplest command to remove a passphrase:

ssh-keygen -p -f ~/.ssh/id_ed25519

You'll be prompted:

Enter old passphrase: [enter current passphrase]
Enter new passphrase (empty for no passphrase): [press Enter]
Enter same passphrase again: [press Enter]
Your identification has been saved with the new passphrase.

For Different Key Types

# Ed25519 key (recommended)
ssh-keygen -p -f ~/.ssh/id_ed25519

# RSA key
ssh-keygen -p -f ~/.ssh/id_rsa

# ECDSA key
ssh-keygen -p -f ~/.ssh/id_ecdsa

# Custom named key
ssh-keygen -p -f ~/.ssh/my_custom_key

Change Passphrase (Not Remove)

To change to a different passphrase instead of removing it:

ssh-keygen -p -f ~/.ssh/id_ed25519

Then enter your new passphrase instead of leaving it empty.

Non-Interactive Method

For scripts or automation, you can provide passphrases via command line:

# Remove passphrase non-interactively
ssh-keygen -p -f ~/.ssh/id_ed25519 -P "old_passphrase" -N ""

Where:

  • -P "old_passphrase" - the current passphrase
  • -N "" - the new passphrase (empty = no passphrase)

Warning: Passing passphrases via command line may expose them in shell history or process lists. Use with caution.

Safer Non-Interactive Approach

Use environment variables or files:

# Using environment variable (still visible in process list)
OLD_PASS="your_old_passphrase"
ssh-keygen -p -f ~/.ssh/id_ed25519 -P "$OLD_PASS" -N ""
unset OLD_PASS

# Or read from file
ssh-keygen -p -f ~/.ssh/id_ed25519 -P "$(cat /secure/passphrase.txt)" -N ""

Verify the Change

After removing the passphrase, verify it worked:

# Try to use the key - should not ask for passphrase
ssh-keygen -y -f ~/.ssh/id_ed25519

If it outputs the public key without asking for a passphrase, it worked.

Alternative: Use ssh-agent Instead

If you want convenience without sacrificing security, consider keeping the passphrase and using ssh-agent:

macOS (Keychain Integration)

macOS can store your passphrase in Keychain:

# Add key to agent with Keychain storage
ssh-add --apple-use-keychain ~/.ssh/id_ed25519

Add to ~/.ssh/config:

Host *
    UseKeychain yes
    AddKeysToAgent yes
    IdentityFile ~/.ssh/id_ed25519

Linux (Persistent Agent)

Start ssh-agent on login. Add to ~/.bashrc or ~/.zshrc:

# Start ssh-agent if not running
if [ -z "$SSH_AUTH_SOCK" ]; then
    eval "$(ssh-agent -s)"
    ssh-add ~/.ssh/id_ed25519
fi

For GNOME/KDE, the desktop environment usually handles this automatically.

Systemd User Service (Linux)

Create ~/.config/systemd/user/ssh-agent.service:

[Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

Enable it:

systemctl --user enable ssh-agent
systemctl --user start ssh-agent
echo 'export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"' >> ~/.bashrc

Troubleshooting

"Load key: incorrect passphrase supplied"

You entered the wrong current passphrase. Make sure you're typing the correct passphrase for this specific key.

"Permissions are too open"

Fix file permissions first:

chmod 600 ~/.ssh/id_ed25519
chmod 700 ~/.ssh

Key Format Issues (Old vs New)

Older keys might be in a different format. Convert if needed:

# Convert old format to new OpenSSH format
ssh-keygen -p -o -f ~/.ssh/id_rsa

The -o flag saves in the newer, more secure format.

"Agent refused operation"

If using ssh-agent, you might need to re-add the key:

ssh-add -d ~/.ssh/id_ed25519  # Remove old
ssh-add ~/.ssh/id_ed25519     # Add updated key

Security Best Practices

If removing the passphrase, take extra precautions:

  1. Restrict file permissions:

    chmod 600 ~/.ssh/id_ed25519
chmod 700 ~/.ssh

  2. Full disk encryption: Enable FileVault (macOS) or LUKS (Linux)

  3. Separate keys for different purposes:

    • Keep passphrase on keys used interactively
    • Only remove passphrase from automation-specific keys

  4. Rotate keys periodically: Replace keys annually or when compromised

  5. Use deploy keys with limited scope: For CI/CD, use repository-specific deploy keys with read-only access when possible

Summary

Remove passphrase:

ssh-keygen -p -f ~/.ssh/id_ed25519
# Enter old passphrase, then press Enter twice for no passphrase

Change passphrase:

ssh-keygen -p -f ~/.ssh/id_ed25519
# Enter old passphrase, then enter new passphrase twice

Non-interactive:

ssh-keygen -p -f ~/.ssh/id_ed25519 -P "old_pass" -N ""

Your public key remains unchanged, so you don't need to update it on any servers or services.