Key Pair Generator

Overview

The key pair generator creates RSA, ED25519, PKCS#8, or OpenSSH public/private key pairs directly in your browser. A pair is generated automatically on page load; click any key text box to copy it. Output can be Base64 (PEM format) or hexadecimal. All generation is offline — refreshing the page discards the keys permanently.

Choosing between the four key types

RSA

  • Widest compatibility across all platforms and languages
  • Choose 2048-bit for standard production use
  • 4096-bit for high-value assets or long-lived keys
  • 512/1024-bit are cryptographically weak — testing only

ED25519

  • Modern elliptic curve algorithm; fixed key length
  • Security equivalent to RSA 3072-bit, but the key is far shorter
  • Faster to generate and verify
  • Best choice for new projects when compatibility is not a concern

PKCS#8

  • General-purpose private key wrapper format (RSA algorithm)
  • Compatible with most cryptography libraries and cross-language tooling
  • Use when the receiving system expects PKCS#8-formatted private keys

OpenSSH

  • SSH-specific key format
  • The generated public key can be pasted directly into authorized_keys
  • Use when configuring password-less SSH login for Linux/Unix servers

Base64 vs. hexadecimal output

Base64 (default) produces PEM-formatted output with -----BEGIN ... KEY----- / -----END ... KEY----- delimiters. This is what most tools expect — openssl commands, configuration files, and most SDKs read this format directly.

Hexadecimal outputs the raw key bytes as a hex string with no headers. Use this when your code reads raw bytes (e.g., a Node.js Buffer, a Go []byte slice) rather than a PEM-formatted string.

RSA key bit length and what it means in practice

  • 512-bit — breakable with modern hardware; development debugging only
  • 1024-bit — deprecated by NIST since 2013; do not use for new projects
  • 2048-bit — current production standard; safe for most use cases
  • 4096-bit — higher security margin; worth the performance cost for keys that need to remain valid for 10+ years

Typical use cases by key type

SSH server login — pick OpenSSH, append the generated public key to the server's ~/.ssh/authorized_keys, and save the private key as ~/.ssh/id_rsa locally.

JWT signing with RS256 — pick RSA 2048-bit Base64; use the private key on the server to sign tokens, distribute the public key to verification services.

API request signing — ED25519 is a good fit: shorter keys reduce header size, and signing/verification is faster than RSA.