How SSH Keys let you into servers - a metaphor

SSH Keys can be a little confusing to new developers. Here’s a quick little metaphor to help you think about how they work.

tldr; Your public key is your business card. You can give it to people so that they can add it to the list of people authorized to access a machine or service. Your private key is a tool that proves that you’re the person associated with that business card.

Imagine that remote machines as members-only nightclubs. The bouncer will prevent anyone from entering if their name isn’t on the list.

You get your name added to the list by having a trusted member of the nightclub add it.

Once that happens, you go up to the door, prove that that name is really you, and then you are allowed entry.

With regards to SSH keys, every key is actually a key pair. There’s the public half (the .pub file) , and the private half. Frequently these are called id_rsa.pub and id_rsa. But, they could be called anything. Your public key is like a business card. You should feel comfortable giving it to anyone you think could use it.

In this metaphor, you gave your business card to a nightclub member and they attached it to the list, so that the bouncer would know to let you in. In real life, you give your public key to a system administrator and they add it to a literal list of keys of people/machines allowed to access something.

Your private key is super secret. You don’t let anyone see it. You don’t even let the bouncer see it. The private key is a tool that lets you prove to the bouncer that you’re the person on the list. The bouncer says “prove you’re XXX” and you use your private key to do just that.

There are different forms of encryption that can be used in generating your key pair, and different reasons for each, but that’s largely irrelevant to how they’re used.