p0cli: ssh-keygen: Using the Keygen command

Last updated: May 2, 2025

Overview

The p0 ssh-keygen command generates an SSH key pair specifically for use with P0’s SSH workflows. By default, it stores:

  • Private key at ~/.p0/ssh/id_rsa

  • Public key at ~/.p0/ssh/id_rsa.pub

If a key pair already exists in that folder, the command does nothing. Otherwise, it:

  1. Generates a new 2048-bit RSA key pair

  2. Writes the private key in PEM format (mode 600)

  3. Writes the public key in OpenSSH format (mode 600)

You don’t normally need to run this explicitly—any p0 ssh or p0 scp invocation will auto-generate the pair when needed—but p0 ssh-keygen lets you pre-create or rotate your P0 SSH keys on demand.

Prerequisites

  • P0 CLI installed (version ≥ 2024)

  • Writable home directory, since keys are stored under ~/.p0/ssh

  • Node environment (keys are generated via the embedded node-forge library)

Syntax

p0 ssh-keygen [--help] [--version]

  • --help

    • Show usage information.

  • --version

    • Print the CLI version number.

There are no additional flags: all behavior is automatic and idempotent.

How It Works

  1. Check for existing files

    • ~/.p0/ssh/id_rsa

    • ~/.p0/ssh/id_rsa.pub

  2. If both exist

    • Read and return the key pair (no filesystem changes).

  3. If either is missing

    • Use a 2048-bit RSA generator to create a new key pair.

    • Ensure the ~/.p0/ssh directory exists (mkdir -p).

    • Write files with strict permissions (0o600).

After completion, your P0 SSH workflows will automatically pick up these keys for p0 ssh and p0 scp.

Examples

1. Generate keys manually

p0 ssh-keygen

  • Creates ~/.p0/ssh/id_rsa and id_rsa.pub if they don’t exist.

  • If they already exist, prints nothing and leaves them intact.

2. Rotate your P0 SSH keys

Remove existing keys

rm ~/.p0/ssh/id_rsa ~/.p0/ssh/id_rsa.pub

  1. Regenerate

p0 ssh-keygen

  1. Verify

ls -l ~/.p0/ssh
# -rw-------  1 you  staff  1679 May  5 12:00 id_rsa
# -rw-------  1 you  staff   392 May  5 12:00 id_rsa.pub

3. Inspect your public key

cat ~/.p0/ssh/id_rsa.pub
# ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...

Copy this string into your cloud or on-prem identity provider if you need to pre-register your P0 key.

4. Use with p0 ssh

# First-run will auto-generate the P0 key if missing
p0 ssh prod-web-01

Under the hood, P0 reads id_rsa/id_rsa.pub—no additional key flags (-i) are required.

Tips & Best Practices

  • Pre-generate keys in automation pipelines or CI runners by adding p0 ssh-keygen to setup scripts.

  • Rotate regularly by deleting the existing pair and re-running the command.

  • Backup your public key (id_rsa.pub) to source control if your organization tracks authorized keys.

  • Do not modify permissions—the private key must remain 600 or SSH will reject it.

  • Avoid mixing with ssh-keygen—use the P0 command to ensure keys land in the correct folder for all P0 workflows.

With p0 ssh-keygen, you’ll always have a valid, securely-stored SSH key pair ready for any p0 ssh or p0 scp operation—no manual key management required.