Changing an SSH key passphrase

A while back I wanted to change the passphrase on an SSH key. Mine was painful to type and I'd never thought to question whether it could be changed in place. Turns out it can, and it's a one-liner.

ssh-keygen -p -f path/to/your/keyfile

You'll be prompted for the old passphrase, then a new one. The key itself doesn't change — same public key, same fingerprint, just re-encrypted with the new phrase. Anything that already trusted the key (servers, git remotes, deploy keys) keeps working.

Update: May 2026

These days I don't keep private keys on disk at all. 1Password's SSH agent stores them in the vault, unlocks them with Touch ID, and handles git commit signing in the same flow. The keys sync across machines through the vault — no copying files between laptops, no scp and chmod 600 rituals on a new machine, no trying to remember which passphrase belongs to which key.

Restored from the Wayback Machine after seeing it still get's hits. Update section added.

Changes

  1. Restore archived articles Orlando