Change or Remove an SSH Key Passphrase

The passphrase on an SSH key encrypts the private key file at rest. It is independent of the keypair itself, so you can add, change, or remove it any time without regenerating anything. The public key and the fingerprint do not change, so you never have to reinstall the key on servers or GitHub.

Change (or add) a passphrase

ssh-keygen -p -f ~/.ssh/id_ed25519

It prompts for the old passphrase (press Enter if there is none), then the new one twice. To add a passphrase to a key that never had one, the same command works: leave the old passphrase blank and set a new one.

Remove a passphrase

Set the new passphrase to empty. Either run the command above and press Enter at the "new passphrase" prompts, or do it non-interactively:

ssh-keygen -p -f ~/.ssh/id_ed25519 -N ''

Removing a passphrase is convenient for unattended jobs (CI, cron, deploy keys), but it means a stolen key file is immediately usable. Only do it on machines you control, and prefer a scoped deploy key over your personal key for automation.

Stop typing the passphrase every time

If the prompt is the only reason you want to remove the passphrase, do not. Load the key into the agent once per session instead:

eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519

On macOS, --apple-use-keychain stores it so it survives reboots. That gives you the security of a passphrase with the convenience of none.

FAQ

See also

• How to Create an SSH Key in 2026: the passphrase decision at creation time.
• Add an SSH key to a server: deploy keys for automation instead of a passphrase-free personal key.
• SSH Cheat Sheet: ssh-agent, ssh-add, and Keychain integration.