The passphrase on an SSH key encrypts the private key file at rest. It is independent of the keypair itself, so you can add, change, or remove it any time without regenerating anything. The public key and the fingerprint do not change, so you never have to reinstall the key on servers or GitHub.
Pick your OS for the right path form.
Change (or add) a passphrase
ssh-keygen -p -f ~/.ssh/id_ed25519It prompts for the old passphrase (press Enter if there is none), then the new one twice. To add a passphrase to a key that never had one, the same command works: leave the old passphrase blank and set a new one.
Remove a passphrase
Set the new passphrase to empty. Either run the command above and press Enter at the "new passphrase" prompts, or do it non-interactively:
ssh-keygen -p -f ~/.ssh/id_ed25519 -N ''Removing a passphrase is convenient for unattended jobs (CI, cron, deploy keys), but it means a stolen key file is immediately usable. Only do it on machines you control, and prefer a scoped deploy key over your personal key for automation.
Stop typing the passphrase every time
If the prompt is the only reason you want to remove the passphrase, do not. Load the key into the agent once per session instead:
eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519On macOS, --apple-use-keychain stores it so it survives reboots. That gives you the security of a passphrase with the convenience of none.
FAQ
No. The passphrase only encrypts the private key file on disk. The keypair, the public key, and the SHA256 fingerprint are unchanged, so nothing on any server or in GitHub needs updating.
No. There is no recovery; the passphrase is not stored anywhere. You have to generate a new key and reinstall its public half wherever the old one was trusted. See how to create an SSH key.
Only on a machine you fully control, and even then it is a convenience trade-off: a passphrase-free private key is usable the instant it is copied. For automation, prefer a dedicated deploy key with a narrow scope, and lean on ssh-agent rather than removing the passphrase on your personal key.
See also
- How to Create an SSH Key in 2026: the passphrase decision at creation time.
- Add an SSH key to a server: deploy keys for automation instead of a passphrase-free personal key.
- SSH Cheat Sheet: ssh-agent, ssh-add, and Keychain integration.
- or move the key to a YubiKey: hardware-backed keys nobody can copy off the disk.
Sources
Authoritative references this article was fact-checked against.
- ssh-keygen(1) manual page (OpenBSD)man.openbsd.org
- ssh-agent(1) manual page (OpenBSD)man.openbsd.org





