How to use a private key to connect your Raspberry Pi from any macOS/Linux computer

Did you know that you can log into your Raspberry Pi via Terminal without a password? And make it even more secure?

Yes, no password and more robust security go together, provided that you have a private key installed on your computer.

You probably heard that this is hard to do. And when you do it for the first time, it may not be totally wrong.

But if explained well, as I will attempt in this article, it is, in fact, very straightforward.

A short introduction

As Bitcoin becomes ever more popular, so does the knowledge about encryption and private keys.

But if I were to guess, I’d still say that only 1% of all computer users have a private key installed on their computer.

All others use a password that they dutifully have to enter each time they connect.

But what if you could guarantee to your Raspberry Pi that your Macbook is a trusted device?

That’s basically how private keys work.

Private keys, together with their public counterpart, are part of asymmetric encryption. This is a lot more secure than passwords that are usually just a few characters long.

And although security might not be primordial for a digital picture frame, using private keys also comes with an added comfort layer.

Let’s look at the following use case: You are working on a digital picture frame on your Raspberry Pi and you use your Macbook to connect to your headless Pi and make code changes.

The connection is made through the terminal app by entering

ssh pi@192.168.145.174

You will be asked for your password and, if correct, your Raspberry Pi lets you in.

But there is another way: You can register your MacBook as a trusted computer on your Raspberry Pi.

Your Pi has your public key and can verify that it fits your private key but – without ever seeing it.

All you need to do is create a pair of keys, a public and a private one, and add the public key to a config file on your Raspberry Pi.

Once you have done that, you will never have to enter a password again.

Creating an ssh key pair

Before you create a new key, take a moment to see if you may already have an existing SSH key on your computer.

To do this, type in the Terminal (on your Mac/Linux device)

ls ~/.ssh

If you see something like

id_rsa        id_rsa.pub  known_hosts

you do not need to generate a new key pair but can use the existing one.

You create a private and a public key pair on the computer you use to access other computers. In my case, my MacBook.

In Linux or macOS, you open the Terminal app and enter

ssh-keygen -t rsa

You will see

Generating public/private rsa key pair.
Enter file in which to save the key (/home/pi/.ssh/id_rsa): 

Accept the default directory. When

Enter passphrase (empty for no passphrase):

comes up, you can either add a passphrase (password) for maximum security or just hit return to leave it empty. I leave it empty.

This is what you should get.

Your identification has been saved in /home/pi/.ssh/id_rsa.
Your public key has been saved in /home/pi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:NvHyQQHxva+PvXaxm1xjEQ+ai+CdSiZNrtySGlyHEDY pi@Pi4withPF2021
The key's randomart image is:
+---[RSA 2048]----+
|    E   oo.      |
|   . o   . o     |
|    .   . o . .. |
|     . . +   + .o|
|      o S o +  ..|
|   . . B * + o ..|
|    o ..* = . .o+|
|     oo* .   ++.=|
|    ..o.o   oo+*.|
+----[SHA256]-----+

Reading the key pair

To know what your public key looks like, type

$ pbcopy < ~/.ssh/id_rsa.pub

which copies the contents of the id_rsa.pub file to your clipboard.

Your public key will look something like this

 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCy0xy+hgVUxgONvFxLAaE7KYwaHBe+S2822ymNK4lWqvLZhxZtYaET/qk6fHf9hOPOufsWbN7JZM0KHaSmKk6w9PQ6ootySl8EwQTYuk5qNxnGY97o+vgG9tXPA+mMhqi3IEuYLTlN0Xjayu5vCtHsoQD9JYHGmExfJsqSvvVf1WFtARDDcXHXUV0R5xUQ/vnfbN+927UIfr6dI/u/JY3m5uCGdVQdge14YY4NnHCnaxP3SPCKzVXFjB9ysYvwOLWC7N886HRaDLrqL1x2Cd/X5IbgiEtpBG4xNv+bA6HuvR5L/0jaNfHSkYSJSELLdEfPANb+5PO+j/pUwvTqKtlOKjvC6ojE0EI5Xi0n62sdBq2hV9cRrL4u58sOdH8OYVp7KONRCgFa3d+6ZjhtbygAIoeCYWCM8yK4HudBIphjKDZcb3tMlHSwlkpileC1qm1d+KOXBCqyDPO4BHLh3tx5BnYCRydszWoJ34FMbHII8t5iM9lCRnfUdy3K6FzKIss= wm@iMac.fritz.box

Note that the “ssh-rsa” as well as the end (in my case) “wm@iMac.fritz.box” is all part of the public key.

Should you have more than one, you can list all the public keys on your device with:

$ ls ~/.ssh/*.pub

If you want to have a look at your private key, type

$ pbcopy < ~/.ssh/id_rsa

and copy your clipboard into an editor.

It will look something like this (only longer):

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAstMcvoYFVMYDjbxcSwGhOymMGhwXvktvNtspjSuJVqry2YcWbWGh
E/6pOnx3/YTjzrn7FmzeyWTNCh2kpipOsPT0OqKLckpfBMEE2LpOajcZxmPe6Pr4BvbVzw
PpjIaotyBLmC05TdF42srubwrR7KEA/SWBxphMXybKkr71X9VhbQEQw3Fx11FdEecVEP75
32zfvdu1CH6+nSP7vyWN5ubghnVUNbXteGGODZxwp2sT90jwis1VxYwfcrGL8Di1guzfPO
h0Wgy66i9cdgnf1+SG4IhLaQRuMTb/zui2jXx0pGEiUhCy3RHzwDW/uTzvo/6
VML06irZTio7wuqIxNBCOV4tJ+trHQatoVfXEay+LufLDnR/DmFaeyjjUQoBWt3fumY4bW
C5oBXZv/4/T1AJDQCWCx4QMamDwPyUKYyGPRj9DJ2I8i2cnE+7sCNxGNiflkP/VBblJNJ5
mpd/oxS1fOhEZvMbEyJFal752kDbUrnptldtJUFAqr4v/7QZUAAADBANeYZaUYDH1LEggb
dMwYJYEvbIaDFlgXGCVAkeyZhN1W2wbp6EVfPrBDq+dn5lJ670L24p4ZhDAUnc1Ehbr0Bj
NDwp960YZIr5TW7GyQRk4jkzCKU/RGrayXFcGCOE5ibqAyIPULtt8vQHA3+0PK4LwYoZwX
m4uxhBn8NUcMnOpPw9wuvwIczdkScuuz74qKChR3SR7xL8dKenhLgMt7uDSDTamsuYWPK8
dpm2wRY8xKgbL5AAAAEXdtQGlNYWMuZnJpdHouYm94AQ==
-----END OPENSSH PRIVATE KEY-----

If you ever need to copy your private key, include everything from the first to the last hyphen.

Adding your computer’s public key

In this part, I will show you how to register your Mac as a trustworthy device on the Raspberry Pi.

Copy the public key of your (Mac/Linux) computer to the clipboard with

$ pbcopy < ~/.ssh/id_rsa.pub

In the Terminal connected to your Raspberry Pi type

mkdir .ssh
sudo nano ~/.ssh/authorized_keys

and paste the public key in there. Save and close.

Finally, the ssh config file on the Raspberry Pi needs to be changed with

sudo nano /etc/ssh/sshd_config

In this file, you will see a lot of lines that have been commented out with a “#”.

Look for this line and change it to “yes”.

PubkeyAuthentication yes

Save and close and restart SSH with

sudo /etc/init.d/ssh restart

Connecting to the Raspberry Pi

From your Mac/Linux, in the terminal connect to your Raspberry Pi as you normally would:

ssh pi@192.168.178.136  

and just like magic, without asking you for a password, you will connect.

If you get a message like “REMOTE HOST IDENTIFICATION HAS CHANGED” read this article.

A few more answers

Q: Can I use the same public key for other computers that I connect to?

A: Yes, in fact, you can use it for any number of devices. You can also use it when you connect to servers via e.g. FileZilla.

Q: I have several computers that I use to connect to my Raspberry Pi. How does this work?

A: All you have to do is to create a key pair on every computer as described above. Then you just need to add the public key of your other computer(s) to

sudo nano ~/.ssh/authorized_keys

Q: Is a private key device-dependent?

A: Yes, each device has its own private and, as a consequence, public key.

Q: What happens if my hard disk crashes/my computer gets stolen etc.? How will I be able to still log in to my Raspberry Pi?

A. Just like you should store passwords in a password manager, you can do the same with your public and private keys.

On your replacement computing device, run the

ssh-keygen -t rsa

command again.

Then open

sudo nano id_rsa.pub

and paste the public key from the backup in there. Do the same with the private key with

sudo nano id_rsa

Conclusion

I hope this article helps to remove a bit of the mystery surrounding public/private keys and the whole encryption debate.

Just remember that a key pair pertains to a particular hardware device and that you only ever give away your public key, never the private one.

Thank you for your support and motivation.