Chapter 19: Git Security SSH
Git Security with SSH ☕
You’ve already learned Git basics, commits, branches, GitHub push/pull… but when you start pushing to GitHub regularly, two big questions come up very fast:
- How do I stop typing my password/PAT every time I push/pull?
- Is HTTPS safe enough, or should I switch to SSH — and why?
Today we’re focusing on SSH for Git — what it is, why it’s more secure/convenient for frequent use in 2026, and the exact step-by-step setup that works today (using current best practices like ed25519 keys + post-quantum readiness notes).
1. Quick Security Recap – HTTPS vs SSH in 2026
| Feature / Question | HTTPS (with Personal Access Token) | SSH (with key pair) |
|---|---|---|
| Authentication method | Username + PAT (long random token) | Public-key cryptography (you prove you own private key) |
| Need to enter credentials often? | Yes (unless credential helper caches it) | No — after setup, passwordless forever (or passphrase once per session) |
| If credentials leaked | Attacker gets full account access (repos + settings + 2FA bypass possible if PAT broad) | Attacker gets only repo read/write access (no account settings, no orgs unless key added there) |
| Encryption in transit | Yes (TLS) | Yes (stronger & more modern options) |
| Firewall / corporate network friendly | Excellent (port 443) | Good (port 22), but sometimes blocked — fallback to HTTPS |
| Setup effort | Very easy (GitHub guides PAT creation) | Medium (generate key, upload public part) |
| Best for | Beginners, occasional use, behind strict firewalls | Daily contributors, CI/CD pipelines, security-focused users |
2026 verdict (most common recommendation):
- Start with HTTPS + PAT if you’re new or push rarely
- Switch to SSH once you push/pull many times a day (most professional developers do this)
SSH is not magically “more secure” in transit (both use strong encryption), but it’s better scoped (key only for git ops) and passwordless after setup.
2. What is an SSH Key Pair? (Simple analogy)
- Private key → your secret house key (never share, keep safe on your laptop)
- Public key → the lock you give to GitHub (anyone can see it, but only your private key opens it)
When you git push:
- GitHub says “prove you’re you”
- Your computer uses private key to sign a challenge
- GitHub checks against your uploaded public key → success = no password needed
3. Step-by-Step Setup – SSH for GitHub (2026 best practice)
Step 1 – Check for existing keys (don’t overwrite old ones)
|
0 1 2 3 4 5 6 |
ls -al ~/.ssh |
Look for files like id_ed25519 and id_ed25519.pub (modern default).
Step 2 – Generate a new strong key (ed25519 is the 2026 standard – fast, secure, small)
|
0 1 2 3 4 5 6 |
ssh-keygen -t ed25519 -C "your_email@example.com" |
- -t ed25519 → best modern algorithm (Curve25519-based, 128-bit security, constant-time)
- -C → comment (helps identify key later)
Press Enter for default location (~/.ssh/id_ed25519) Add a strong passphrase (recommended – protects if laptop stolen)
You’ll see randomart (cute ASCII picture of your key – just for fun).
If your system is very old (rare in 2026):
|
0 1 2 3 4 5 6 |
ssh-keygen -t rsa -b 4096 -C "your_email@example.com" |
Step 3 – Start SSH agent & add your key (so it asks passphrase only once per session)
|
0 1 2 3 4 5 6 7 8 9 10 |
# Start agent (Windows Git Bash / Linux / macOS) eval "$(ssh-agent -s)" # Add private key ssh-add ~/.ssh/id_ed25519 |
Enter passphrase when asked.
Step 4 – Copy public key to clipboard
Windows (Git Bash):
|
0 1 2 3 4 5 6 |
clip < ~/.ssh/id_ed25519.pub |
macOS:
|
0 1 2 3 4 5 6 |
pbcopy < ~/.ssh/id_ed25519.pub |
Linux:
|
0 1 2 3 4 5 6 |
xclip -sel clip < ~/.ssh/id_ed25519.pub # install xclip if needed |
Or just open file:
|
0 1 2 3 4 5 6 |
cat ~/.ssh/id_ed25519.pub |
Copy everything (starts with ssh-ed25519 AAAAC3… your_email@example.com)
Step 5 – Add public key to GitHub
- Go to github.com → Settings (top-right profile)
- SSH and GPG keys → New SSH key
- Title: “My Laptop 2026 – ed25519”
- Paste public key → Add SSH key
Step 6 – Test connection
|
0 1 2 3 4 5 6 |
ssh -T git@github.com |
You should see:
|
0 1 2 3 4 5 6 |
Hi Webliance! You've successfully authenticated, but GitHub does not provide shell access. |
Success! 🎉
Step 7 – Switch your repo to SSH
If repo was cloned with HTTPS:
|
0 1 2 3 4 5 6 7 8 |
git remote -v # see current[](https://github.com/...) git remote set-url origin git@github.com:Webliance/my-first-github-project.git git remote -v # now git@github.com:... |
Now push/pull works passwordless:
|
0 1 2 3 4 5 6 |
git push |
4. Extra 2026 Best Practices & Security Tips
- Rotate keys every 1–2 years (generate new, add to GitHub, remove old)
- Use passphrase on private key (protects if device stolen)
- Never commit private key → .gitignore should have *.key or specific names
- Multiple accounts? Use ~/.ssh/config:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# Personal Host github.com HostName github.com User git IdentityFile ~/.ssh/id_ed25519_personal # Work Host github-work HostName github.com User git IdentityFile ~/.ssh/id_ed25519_work |
Then clone work repos with git@github-work:company/repo.git
- Post-quantum readiness (GitHub started supporting sntrup761x25519-sha512 in 2025) — modern OpenSSH clients auto-negotiate it
- Backup keys safely (encrypted USB / password manager)
- Revoke old keys immediately if device lost (GitHub → Settings → SSH keys → Delete)
Quick Troubleshooting Table
| Problem | Fix/Check |
|---|---|
| “Permission denied (publickey)” | Key not added to GitHub? Wrong file path? Test with ssh -T git@github.com |
| Passphrase asked every time | Forgot to ssh-add or agent not running |
| Corporate firewall blocks port 22 | Use HTTPS fallback or ask IT to allow SSH |
| Old key not working | GitHub may have deprecated weak algorithms — regenerate ed25519 |
Got it? SSH = passwordless, scoped, secure daily Git life once set up.
Next?
- Want to do multiple GitHub accounts with SSH config?
- Switch existing repo from HTTPS to SSH live?
- Or back to merge conflicts / workflows?
Just tell me — we’ll keep building. You’re doing fantastic! 🚀
