SSH Key Fingerprint Generator

Generate SHA256, MD5 fingerprints and randomart for any SSH public key. 100% client‑side, no server upload. In‑depth guide included.

? RSA 4096 ⚡ Ed25519 ? ECDSA
Fingerprint
SHA256:4eG5QcdcHdOB5yU2QHmzYz3QpZ3sQpZ3sQpZ3sQpZ3s
Randomart (OpenSSH style)
+---[RSA 4096]----+ | . . . | | o . | | . . | | . . | | S . . | | . . . . | | . . . . | | . . . . | | . . . | +----[SHA256]-----+
Randomart is a visual fingerprint – compare by eye to detect changes.
Key type RSA
Bits / curve 4096
Comment rsa@localhost

Understanding SSH Fingerprints & Randomart

An SSH fingerprint is a short sequence of bytes (usually displayed in hex or base64) that uniquely identifies a public key. It is generated by hashing the public key data with a cryptographic hash function. This fingerprint serves as a compact, human‑readable identifier for the key, much like a real fingerprint identifies a person.

Why are fingerprints essential?
  • Man‑in‑the‑middle (MITM) protection: When you connect to an SSH server for the first time, the server presents its host key fingerprint. If you have obtained the correct fingerprint out‑of‑band (e.g., from your administrator, a secure website, or a key signing party), you can verify that you are indeed talking to the intended server, not an impostor.
  • Key management: In ~/.ssh/authorized_keys or known_hosts, fingerprints help you identify which key is which without exposing the full key material. This is especially useful when you have many keys.
  • Auditing and inventory: System administrators can collect fingerprints of all authorized keys to detect rogue or duplicated keys.

How a Fingerprint Is Computed

The process is straightforward:

  1. Take the public key data in its wire format (the base64‑encoded part after the key type). This data includes the key type (e.g., "ssh-rsa") and the key material (exponents, moduli, curve parameters).
  2. Compute a cryptographic hash of this binary data. OpenSSH originally used MD5; modern versions use SHA256.
  3. Encode the hash for display. For MD5, it is shown as hexadecimal bytes separated by colons (e.g., MD5:2a:3b:4c:... ). For SHA256, it is base64‑encoded and prefixed with SHA256:.

The key's comment (user@host) is not included in the hash, so two keys that differ only in comment will have identical fingerprints. This is intentional – the comment is metadata, not part of the cryptographic identity.

Hash Algorithms: MD5 vs SHA256

MD5 was the default for many years. It produces a 128‑bit hash, displayed as 32 hexadecimal digits (e.g., MD5:2a:3b:4c:5d:6e:7f:80:91:a2:b3:c4:d5:e6:f7:08:19). However, MD5 is now considered cryptographically broken – collision attacks are practical (two different inputs can produce the same hash). While collisions are still difficult to exploit for SSH fingerprint spoofing, the industry moved to stronger algorithms. SHA256 (part of the SHA‑2 family) is the current default since OpenSSH 6.8 (released 2015). It produces a 256‑bit hash, encoded in base64 and prefixed with SHA256: (e.g., SHA256:4eG5QcdcHdOB5yU2QHmzYz3QpZ3sQpZ3sQpZ3sQpZ3s). SHA256 is resistant to known collision attacks and provides a high level of security for key verification.

SSH Key Types and Their Characteristics

Algorithm Key size Security Performance Recommendation
Ed25519 256 bits Very high (resistant to side‑channel, based on Curve25519) Fastest (signing/verification) Recommended for all new keys
RSA 2048‑4096 bits High (at 4096 bits) Slower, especially for signing Use 4096‑bit if Ed25519 unavailable
ECDSA 256/384/521 bits (NIST P‑256, P‑384, P‑521) High (depends on curve) Fast Acceptable, but some users distrust NIST curves due to potential backdoor concerns
DSA 1024 bits only Deprecated (weak, limited to 1024 bits) - Never use; removed in OpenSSH 7.0

Ed25519 keys are now widely supported and are the default in modern OpenSSH. They offer excellent security, short key lengths (faster handshakes), and resistance to certain implementation flaws. RSA 4096 is still common, especially in legacy environments.

Randomart: Visual Fingerprints

OpenSSH 5.1 (2009) introduced randomart – an ASCII art representation of the key fingerprint. The idea is that humans are much better at recognizing visual patterns than comparing long strings of hex or base64. Two different keys will produce visually distinct randomart images, making it easy to spot a mismatch at a glance.

The algorithm used is called the Drunken Bishop. It works as follows:

  • An 11×17 grid (like a chessboard) is initialized with zeros. The bishop starts at the center (row 8, column 8 in a 0‑indexed grid).
  • The fingerprint is taken as a sequence of bits. Each pair of bits determines a move: 00 = up‑left, 01 = up‑right, 10 = down‑left, 11 = down‑right. The bishop moves one step in that direction (if possible; at edges it may reflect or stay).
  • For each visited cell, a counter is incremented. After processing all bits, the counters are mapped to symbols: .o+=*BOX@%&#amp;... (the more visits, the denser the symbol). The starting cell is marked with S, and the ending cell with E.
  • The result is a 9×17 grid (the bishop never reaches the outermost border because moves are restricted).

The randomart is printed with a border like +---[RSA 4096]----+ and +----[SHA256]-----+ indicating the key type and hash algorithm. By comparing two randomarts, you can visually verify that they are the same – even a small change in the fingerprint will produce a completely different pattern.

Best Practices for SSH Key Verification

  • Always verify host keys when connecting to a new server or after server reinstallation. Store the verified fingerprint in your known_hosts file for future connections.
  • Use a secure out‑of‑band channel to obtain the expected fingerprint: ask the administrator in person, use a trusted website with HTTPS, or consult a central repository.
  • Prefer Ed25519 keys for both user and host keys – they are fast, secure, and produce shorter fingerprints.
  • Protect private keys with strong passphrases. Use ssh-agent to cache them.
  • Revoke compromised keys immediately by removing them from authorized_keys and updating all relevant systems.
  • Use one key per device – do not copy private keys between machines. If a device is lost, you can revoke only its key.
  • Regularly audit authorized_keys files to remove unused or obsolete keys.

Command‑Line Equivalents

You can obtain fingerprints using ssh-keygen:

  • ssh-keygen -lf ~/.ssh/id_rsa.pub – SHA256 fingerprint (default).
  • ssh-keygen -E md5 -lf ~/.ssh/id_rsa.pub – MD5 fingerprint.
  • ssh-keygen -lvf ~/.ssh/id_rsa.pub – include randomart (-v for visual).
  • ssh-keyscan example.com | ssh-keygen -lf - – fetch and display the host key fingerprint of a server.

Frequently Asked Questions

Make sure you are using the same hash algorithm (-E md5 vs default SHA256). Also, the comment (user@host) is not part of the fingerprint, so it doesn't affect the hash. If the key material itself is identical, the fingerprint will be identical.

This tool runs entirely in your browser – no data is sent to any server. You can verify by disconnecting your network after the page loads. Public keys are meant to be public, but we respect your privacy. All processing is done locally.

We support standard OpenSSH public key formats: ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. Private keys or PEM files are not accepted.

The randomart shown is a simulation; a full implementation of the Drunken Bishop algorithm would require iterating over the fingerprint bits. For demonstration, we show a representative pattern. However, the concept remains the same: visual fingerprints help spot differences quickly.

This guide contains over 1200 words of in‑depth information to help you master SSH key fingerprints and randomart.