UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

SSH Public Key Fingerprint

Calculate the MD5 and SHA-256 fingerprints of an SSH public key to verify identity without sharing the full key.

About SSH Public Key Fingerprint

The SSH Public Key Fingerprint calculator computes the MD5 and SHA-256 fingerprints of any SSH public key (RSA, ECDSA, Ed25519) directly in your browser. Fingerprints are short hashes derived from the key material that uniquely identify a key without exposing the full key content. They are used to verify host keys in SSH connections, confirm GitHub/GitLab deploy key identity, and compare keys without transmitting the full key bytes. SHA-256 fingerprints are displayed in base64 (the modern standard shown by ssh-keygen -l -E sha256), and MD5 in colon-separated hex (legacy format). Your key never leaves your browser.

Why use SSH Public Key Fingerprint

  • Calculates both SHA-256 (modern) and MD5 (legacy) fingerprints simultaneously.
  • Supports RSA, ECDSA (P-256/P-384/P-521), and Ed25519 keys.
  • Your private key is never needed or requested — works with public keys only.
  • 100% browser-based: no key data is sent to any server.
  • Helps spot man-in-the-middle attacks: a fingerprint mismatch is the single most reliable signal you are connecting to a wrong server.
  • Enables fast key rotation audits — generate fingerprints for a directory of authorized_keys entries and diff them against the canonical list.

How to use SSH Public Key Fingerprint

  1. Paste your SSH public key (the content of id_rsa.pub, id_ed25519.pub, etc.) into the input area.
  2. The SHA-256 and MD5 fingerprints are calculated instantly.
  3. Compare the fingerprint to the value shown on GitHub, GitLab, or your server's known_hosts.
  4. Click Copy next to either fingerprint to copy it.
  5. Strip any options or comments from authorized_keys lines before pasting — the tool tolerates them, but cleaner input is easier to verify by eye.
  6. Compare the SHA-256 output to the value shown in your hosting provider's dashboard or git server settings before approving a deploy key.

When to use SSH Public Key Fingerprint

  • Verifying that a public key matches what is registered on GitHub or GitLab.
  • Confirming SSH host key fingerprints before connecting to a new server.
  • Comparing a local public key fingerprint against a trusted reference.
  • Auditing deploy keys or authorized_keys entries by fingerprint.
  • Onboarding new developers: confirm that the public key they submit hashes to the same fingerprint they showed during a verification call.
  • Decommissioning old keys: cross-check fingerprints in authorized_keys against a known-good list before removing entries you do not recognize.

Examples

RSA 2048 key

Input: ssh-rsa AAAAB3NzaC1yc2E...AQAB user@example.com

Output: SHA256: 5xfjL1b/BvD0GmU2lIOR8h2OZpC/3QVa0iY8z8m+jY8 MD5: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48

Ed25519 key

Input: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH... user@host

Output: SHA256: P0FFiI31V+NXQYqaJq3z+JhhYJ6cGv2X5n1L8fT9WzM MD5: aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99

ECDSA P-256 key

Input: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlz... user@host

Output: SHA256: 7Hk2ZB4ENvFmS3p+lYtRoIbJqXWzCfA9KdU0VeXhPRA MD5: fa:ce:b0:0c:de:ad:be:ef:ca:fe:01:02:03:04:05:06

Tips

  • Always compare SHA-256 fingerprints, not MD5 — MD5 has known collisions and OpenSSH 6.8+ deprecated it as the default for a reason.
  • On macOS and Linux, run `ssh-keygen -l -E sha256 -f ~/.ssh/id_ed25519.pub` to compute the same fingerprint locally and verify this tool's output matches.
  • GitHub displays SHA-256 fingerprints without the SHA256: prefix in some places and with the prefix in others; this tool shows both forms so you can paste either way.
  • Never publish the contents of id_rsa, id_ed25519, or any file without .pub — the fingerprint is for the public key only, but accidentally pasting a private key into a web form is a credential leak.
  • Ed25519 keys produce shorter fingerprints (43 base64 chars for SHA-256) than RSA. If a key looks unusually short, double-check the algorithm before reporting a mismatch.
  • Host keys live in /etc/ssh on the server. To find your server's fingerprint, run `ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub` directly on the host before exposing it to SSH.
  • If you use multiple SSH keys, label each `.pub` file with a comment (the trailing 'user@host') so fingerprints can be matched back to the right key without recomputing every time.

Frequently Asked Questions

Is it safe to paste my public key here?
Yes. SSH public keys are designed to be shared publicly. This tool only requires the public key (id_rsa.pub), never the private key. No data is sent to any server.
Which fingerprint format does GitHub use?
GitHub uses SHA-256 fingerprints in base64 format (e.g. SHA256:AbCd...). This tool shows that format by default.
What is the MD5 format?
The MD5 fingerprint is shown as colon-separated hex pairs (e.g. 00:11:22:...:ff). This is the legacy format used by older SSH versions.
How does the fingerprint help verify a host key?
When you first connect to an SSH server, it shows you its host key fingerprint. Comparing this against a pre-verified fingerprint (from your server provider's dashboard) confirms you are connecting to the correct machine and not a man-in-the-middle.
Does it work with OpenSSH public key format?
Yes. Standard OpenSSH public key format (starting with ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519 etc.) is supported.
Why do RSA and Ed25519 fingerprints look different lengths?
Both use SHA-256 internally, so the hash is 256 bits, but the base64 output is the same length (43 chars). MD5 fingerprints differ in display style only — RSA and Ed25519 produce identically formatted MD5 colon-hex strings.
Does this tool support PuTTY .ppk files?
No — paste the OpenSSH public key (the line that starts with ssh-rsa, ssh-ed25519, or ecdsa-sha2-...). PuTTY's PPK format must first be converted to OpenSSH using PuTTYgen Export.
Why do I see DEPRECATED messages on MD5 in my SSH client?
OpenSSH switched the default fingerprint hash to SHA-256 in version 6.8 (2015). MD5 still works but is flagged because of its weakness. Use SHA-256 wherever possible.

Explore the category

Hash Generator Generate SHA-256, SHA-1, MD5 hashes File Hash Multi (MD5, SHA-1, SHA-256, SHA-512) Compute MD5, SHA-1, SHA-256, and SHA-512 of any file in your browser PGP Encrypt / Decrypt Encrypt, decrypt, generate PGP key pairs, and sign/verify messages in-browser with OpenPGP.js. X.509 Certificate Inspector Decode PEM or DER (base64) X.509 certificates to extract subject, issuer, SANs, validity, key info, and fingerprints. Page Screenshot Service Capture full-page or viewport screenshots of any public URL as PNG or JPG using real browser rendering. DNS Lookup Tool Query public DNS records with SSRF-safe hostname validation
Public Key Cryptography Explained Simply: Keys, Ciphers, and Signatures The magic behind HTTPS, SSH, and PGP encryption is public key cryptography — a system where you can encrypt a message that only the intended Feb 2026 · 10 min How PGP Encryption Works: Keys, Trust, and Real-World Use PGP (and OpenPGP) has secured email and files since 1991. We explain key pairs, the web of trust, signing vs encrypting, and where PGP still May 2026 · 8 min

Glossary

SSH public key
The non-secret half of an SSH keypair, safe to share. Used by servers and services like GitHub to verify the corresponding private key signature.
Fingerprint
A short cryptographic hash of a public key. Lets humans verify key identity without comparing the entire base64-encoded key blob.
SHA-256 fingerprint
Modern fingerprint format in OpenSSH 6.8+. 256 bits of SHA-2 output encoded as base64, prefixed with SHA256: in display.
MD5 fingerprint
Legacy fingerprint format from earlier OpenSSH releases. 128-bit MD5 hash displayed as 16 colon-separated hex pairs. Now considered weak.
RSA key
An SSH key based on the RSA algorithm. Common sizes are 2048 and 4096 bits. Identified by the ssh-rsa prefix in public key files.
Ed25519 key
A modern Edwards-curve digital signature key. Shorter (32 bytes), faster, and considered safer than RSA. Identified by the ssh-ed25519 prefix.
ECDSA key
An SSH key based on Elliptic Curve Digital Signature Algorithm, typically over the NIST curves P-256, P-384, or P-521. Identified by the ecdsa-sha2-nistp prefix.
known_hosts
A client-side file (~/.ssh/known_hosts) listing the host keys SSH has previously seen and trusted, indexed by hostname.