Key Management
ZestSSH handles SSH key generation, import, storage, and export. Keys are stored in your platform’s secure storage and never written to the filesystem in plaintext. This page covers all the key operations available in the app.
Generating keys
Section titled “Generating keys”Navigate to Identities > Generate Key. You will see a form with the following fields:
- Name — a label for this key pair (e.g., “My Ed25519 Key”).
- Key Format — the algorithm to use.
- Comment — embedded in the public key string. Defaults to
user@ZestSSH.
Supported key types
Section titled “Supported key types”| Key Type | Algorithm | Recommended | Notes |
|---|---|---|---|
| Ed25519 | Ed25519 | Yes | Fast, small keys, strong security |
| RSA 2048 | RSA (2048-bit) | No | Legacy compatibility only |
| RSA 4096 | RSA (4096-bit) | Acceptable | Slower to generate, widely compatible |
| ECDSA P-256 | ECDSA secp256r1 | No | NIST curve; use Ed25519 instead |
| ECDSA P-384 | ECDSA secp384r1 | No | NIST curve; use Ed25519 instead |
| ECDSA P-521 | ECDSA secp521r1 | No | NIST curve; use Ed25519 instead |
Use Ed25519 unless you have a specific reason not to. It generates instantly, produces the smallest public key strings, and has no known weaknesses. RSA 4096 is the fallback for servers that do not support Ed25519 (rare in 2025+).
Generation process
Section titled “Generation process”Ed25519 keys generate near-instantly using the cryptography Dart package. RSA and ECDSA keys use the pointycastle library and run in a background isolate to avoid blocking the UI. RSA-4096 can take a few seconds on older devices.
After generation, ZestSSH displays:
- The SHA-256 fingerprint of the public key.
- The full public key string (copyable).
- Options to Copy Public Key to clipboard or Share it via the system share sheet.
The private key is stored immediately in secure storage. The public key string is what you add to ~/.ssh/authorized_keys on your servers.
Deploying the public key
Section titled “Deploying the public key”Copy the public key from the result screen and add it to your server:
# On the remote servermkdir -p ~/.sshecho "ssh-ed25519 AAAA...your-key... user@ZestSSH" >> ~/.ssh/authorized_keyschmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keysIf you have password access to the server, you can also use ssh-copy-id from another machine:
ssh-copy-id -i /path/to/key.pub user@serverImporting existing keys
Section titled “Importing existing keys”Navigate to Identities > Import Key and select your private key file.
Supported formats
Section titled “Supported formats”OpenSSH PEM — the most common format. Files that begin with -----BEGIN OPENSSH PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----. This covers keys generated by ssh-keygen on any platform.
PuTTY .ppk (v2 and v3) — ZestSSH detects the PuTTY format by the PuTTY-User-Key-File- header and converts it to OpenSSH format internally. Only unencrypted .ppk files with ssh-rsa or ssh-ed25519 key types are supported. See Importing from Other Apps for details on encrypted .ppk files.
Passphrase-protected keys
Section titled “Passphrase-protected keys”ZestSSH detects encrypted keys by checking for:
- The
Proc-Type: 4,ENCRYPTEDheader (old PEM format). - The
ENCRYPTED PRIVATE KEYmarker. - Parse failure on modern OpenSSH keys (where encryption metadata is inside the binary payload).
If the key is encrypted, ZestSSH prompts for the passphrase. The passphrase is used to decrypt the key at import time. The decrypted key material is stored in secure storage — the passphrase itself is not retained.
If you enter the wrong passphrase, the error message reads “Wrong passphrase. Please try again.” ZestSSH detects passphrase errors from several different exception patterns across key formats.
After import
Section titled “After import”The imported key shows its:
- Detected key type (e.g.,
ssh-rsa,ssh-ed25519). - SHA-256 fingerprint.
You can then assign this identity to any connection in the connection editor.
Key storage
Section titled “Key storage”Private keys are stored in FlutterSecureStorage, which maps to:
- Android: Android Keystore (hardware-backed on most devices).
- iOS: iOS Keychain.
- Windows/macOS/Linux: OS-native credential managers.
Keys are never written to the SQLite database or to the filesystem. The database stores only metadata (key name, fingerprint, key type). The actual key material lives exclusively in secure storage.
Exporting keys
Section titled “Exporting keys”From the identity detail screen, you can:
- Copy Public Key — copies the
ssh-ed25519 AAAA...string to your clipboard. - Share Public Key — opens the system share sheet to send the public key via email, messaging apps, or AirDrop.
- Export Private Key — exports the private key PEM content. Use this with caution. The exported key is in plaintext OpenSSH format.
If you need to transfer keys between devices, use ZestSSH’s encrypted backup feature (.zest files) rather than exporting raw private keys. Backups encrypt all data with AES-256-GCM.
Passphrase management
Section titled “Passphrase management”ZestSSH currently handles passphrases at import time only. When you import an encrypted key, the passphrase is used to decrypt it, and the decrypted key is stored in secure storage. There is no passphrase prompt at connection time.
If you want your key to require a passphrase at every use, this is not currently supported — the trade-off is convenience vs. requiring passphrase entry per session. The security lock feature (PIN or biometric) provides an alternative layer of protection for all stored credentials.
Key rotation
Section titled “Key rotation”When you generate a new key to replace an old one:
- Generate the new key in ZestSSH.
- Add the new public key to your servers’
authorized_keysfiles. - Test that the new key works.
- Remove the old public key from your servers.
- Delete the old identity from ZestSSH.
- Update any connections that referenced the old identity to use the new one.