Creating SSH keys | Bitbucket Data Center 9.1 (2024)

This page describes how to create SSH keys.

SSH keys can be used to establish a secure connection with Bitbucket Data Center for:

  • when you are performing Git operations from your local machine
  • when another system or process needs access to repositories in Bitbucket (for example your build server)

The SSH key needs to be added to Bitbucket, and your Bitbucket administrator must haveenabled SSH accessto Git repositories before you can make use of the key.

Bitbucket supports the following SSH key types:

  • ED25519
  • RSA2
  • ECDSA
  • DSA (we recommend you use other key types)
  • ED25519-SK
  • ECDSA-SK

You can use an existing SSH key with Bitbucket if you want, in which case you can go straight to either SSH user keys for personal useor SSH access keys for system use.

Related pages:

  • Using SSH keys to secure Git operations
  • Enable SSH access to Git repositories
  • Permanently authenticating with Git repositories

Creating an SSH key on Windows

1.Check for existing SSH keys

You should check for existing SSH keys on your local computer.You can use an existing SSH key with Bitbucketif you want, in which case you can go straight toeither SSH user keys for personal useor SSH access keys for system use.

Open a command prompt, and run:

cd %userprofile%/.ssh

2. Back up old SSH keys

If you have existing SSH keys, but you don't want to use them when connecting to Bitbucket, you should back those up.

In a command prompt on your local computer, run:

mkdir key_backupcopy id_ed25519* key_backup

3. Generate a new SSH key

If you don't have an existing SSH key that you wish to use, generate one as follows:

  1. Log in to your local computer as an administrator.
  2. In a command prompt, run:

    ssh-keygen -t ed25519 -C "your_email@example.com"

    Note: If you're using a legacy system that doesn't support the ED25519 algorithm, run:

    ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

    Associating the key with your email address helps you to identify the key later on.

    Note that thessh-keygencommand is only available if you have alreadyinstalled Git(with Git Bash).
    You'll see a response similar to this:

    C:\Users\fperez>ssh-keygen -t ed25519 -C "your_email@example.com"Generating public/private ed25519 key pair.Enter file in which to save the key (/c/Users/fperez/.ssh/id_ed25519):
  3. Just press <Enter> to accept the default location and file name. If the.sshdirectory doesn't exist, the system creates one for you.
  4. Enter, and re-enter, a passphrase when prompted. The whole interaction will look similar to this:

    C:\Users\fperez>ssh-keygen -t ed25519 -C "your_email@example.com"Generating public/private ed25519 key pair.Enter file in which to save the key (/c/Users/fperez/.ssh/id_ed25519):Created directory '/c/Users/fperez/.ssh'.Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in c/Users/fperez/.ssh/id_ed25519.Your public key has been saved in c/Users/fperez/.ssh/id_ed25519.pub.The key fingerprint is:SHA256:wvaHYeLtY6+DlvV5sFZgDi3abcdefghijklmnopqrstuvw your_email@example.com
  5. You're done and you can now go toeither SSH user keys for personal useor SSH access keys for system use.

Creating an SSH key on Linux & macOS

1. Check for existing SSH keys

You should check for existing SSH keys on your local computer.You can use an existing SSH key with Bitbucketif you want, in which case you can go straight to eitherSSH user keys for personal useorSSH access keys for system use.

Open a terminal and run the following:

cd ~/.ssh
  • If you see "No such file or directory, then there aren't any existing keys: go to step 3.
  • Check to see if you have a key already:

    ls id_*
  • If there are existing keys, you may want to use them; go toeitherSSH user keys for personal useorSSH access keys for system use.

2. Back up old SSH keys

If you have existing SSH keys, but you don't want to use them when connecting to Bitbucket, you should back those up.

Do this in a terminal on your local computer, by running:

mkdir key_backupcp id_ed25519* key_backup

3. Generate a new key

If you don't have an existing SSH key that you wish to use, generate one as follows:

  1. Open a terminal on your local computer and enter the following:

    ssh-keygen -t ed25519 -C "your_email@example.com"

    Note: If you're using a legacy system that doesn't support the ED25519 algorithm, use:

    ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

    Associating the key with your email address helps you to identify the key later on.

    You'll see a response similar to this:

    fperez@homemac ~ % ssh-keygen -t ed25519 -C fperez@email.comGenerating public/private ed25519 key pair.Enter file in which to save the key (/Users/fperez/.ssh/id_ed25519): 
  2. Just press <Enter> to accept the default location and file name. If the.sshdirectory doesn't exist, the system creates one for you.
  3. Enter, and re-enter, a passphrase when prompted.
    The whole interaction will look similar to this:

    fperez@homemac ~ % ssh-keygen -t ed25519 -C fperez@email.comGenerating public/private ed25519 key pair.Enter file in which to save the key (/Users/fperez/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/fperez/.ssh/id_ed25519.Your public key has been saved in /Users/fperez/.ssh/id_ed25519.pub.The key fingerprint is:SHA256:gTVWKbn41z6JgBNu3wYjLC4abcdefghijklmnopqrstuvwxy fperez@email.comThe key's randomart image is:+--[ED25519 256]--+|==+. +o.. ||.oE. +o.. || . ...o || .o... || oo+S . || + ..B = . . ||.+.+.oo+ * o . ||o++.o+ . + + ||B+ o. . . |+----[SHA256]-----+fperez@homemac ~ % 
  4. You're done and you can now go toeitherSSH user keys for personal useorSSH access keys for system use.

Creating a new SSH key for a hardware security key

SSH keys for hardware authenticators are a safer alternative to traditional SSH keys and protect you from accidental private key exposure or theft. You tap the hardware authenticator when you need to perform a Git operation, which provides evidence of user presence.

1. Before you start

Before generating a security key based SSH key, make sure you meet the following pre-requisites.

OpenSSH

To generate an SSH key backed by a hardware authenticator, you need to have a version of OpenSSH later than 8.2p1.

Bitbucket Data Center

Bitbucket Data Center supports the use of security key based SSH keys since version 8.13. If your environment consists of mirrors, they must be updated to this version too. Otherwise, you won’t be able to use the key you registered on an upstream for Git SSH operations via the mirror.

Hardware authenticator

You need a compatible hardware authenticator to back the new SSH key. You can choose between Yubikey, Nitrokey, Solokey, etc.

2. Generate the key

You can select from two algorithms:

  • ecdsa-sk based on ECDSA keys

  • ed25519-sk based on ED25519 keys

You can generate ecdsa-sk on most keys but ed25519-sk is generally supported only on newer hardware.

In both cases, the only supported key length is 256 bits. To generate a key of the chosen type:

  1. Make sure your hardware authenticator is plugged in.

  2. Generate the SSH key with ssh-keygen using the following command. The -C argument is optional and specifies a comment to identify the key.

    ssh-keygen -t ed25519-sk -C <your-email>

    If the command fails, your hardware authenticator might not support the ED25519 algorithm. Repeat the command replacing ed25519-sk with ecdsa-sk.

  3. When you're prompted, touch the button on your hardware authenticator to confirm user presence.

  4. You can optionally choose a passphrase for the key.

    > Enter passphrase (empty for no passphrase): [Type a passphrase]> Enter same passphrase again: [Type passphrase again]

After the SSH key has been generated successfully, you can copy the public key and register it with Bitbucket Data Center like any other SSH key, following the instructions:

  • SSH user keys for personal use

  • SSH access keys for system user

FAQ

Find answers to frequently asked questions about the generation of security key based SSH keys.

I receive an error while performing Git operations with these keys. How do I resolve it?

The most common reason for seeing the Permission denied (Public Key) error is that the key is simply not being used to perform the authentication. Check the following:

  • The user presence is confirmed while performing the Git command.

  • You don’t have a large number of generated keys. If you do, try removing unused keys.

I generated and registered an SSH key but can’t perform Git operations using it via the mirror

If you receive the Permission denied (Public Key) error while performing a Git command with a registered key, the mirror you’re using might not have been updated to version 8.13. Contact the administrator about the issue.

Do I have to tap the key every time I perform a Git operation?

Yes, you do. While OpenSSH has the option to generate a key that doesn’t require a tap, Bitbucket Data Center doesn’t support such keys. We also don’t recommend using the keys that don’t require a tap on a hardware authenticator because their security is comparably low.

Creating SSH keys | Bitbucket Data Center 9.1 (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Cheryll Lueilwitz

Last Updated:

Views: 6330

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Cheryll Lueilwitz

Birthday: 1997-12-23

Address: 4653 O'Kon Hill, Lake Juanstad, AR 65469

Phone: +494124489301

Job: Marketing Representative

Hobby: Reading, Ice skating, Foraging, BASE jumping, Hiking, Skateboarding, Kayaking

Introduction: My name is Cheryll Lueilwitz, I am a sparkling, clean, super, lucky, joyous, outstanding, lucky person who loves writing and wants to share my knowledge and understanding with you.