Skip to content
TypeParser
All tools

SSH Key Fingerprint

Compute SHA256/MD5 fingerprints of SSH keys.

beats sshkey-info.com edge: SHA256 + MD5 + bit size
SSH public key
paste key
Guide

About SSH Key Fingerprint

Paste an OpenSSH public key (the <code>ssh-rsa AAAAB3...</code> form or <code>ssh-ed25519</code> equivalent) — get SHA-256 (modern) and MD5 (legacy) fingerprints. Plus key type and bit size. Useful when verifying a known_hosts entry, auditing authorized_keys, or comparing a key shared by a coworker.

Why SSH fingerprints exist

Public-key authentication needs a way to recognize “is this the same key I trusted before”. The full key is hundreds of bytes; comparing visually is impractical. The fingerprint — a hash of the key’s binary form — is short enough to verify on a phone screen and unique enough to detect tampering.

When you ssh server.example.com for the first time, the client shows the server’s fingerprint and asks if you trust it. If the fingerprint matches what the admin published, you accept. From then on, your known_hosts file remembers — any future fingerprint mismatch is loud and probably an attack.

Modern format

SHA256:5jDMXz8C2kE0HnrM2J4HhG8OqfH7hPvr2tN1bLwRY7M

OpenSSH 6.8+ shows fingerprints as Base64-encoded SHA-256, prefixed with SHA256:. The legacy MD5 form (32 hex chars in : groups) still appears in older tools and AWS console for some product lines.

Common workflows

Verify a host before adding to known_hosts. Get the expected fingerprint from your provider’s docs (AWS, GitHub, GitLab publish theirs). Compare on first connect.

Audit authorized_keys. Each line is a key. Drop them through this tool, get fingerprints, match against the list of “supposed-to-have-access” fingerprints.

Match a key from a teammate. Coworker sends their public key. Paste here, send them the fingerprint. If it matches what they expect, the share survived intact.

Detect a swapped server key. Server fingerprint changed unexpectedly? Investigate — could be a legitimate rebuild, could be an MITM. Compare against the published value.

Local computation matters

A leaked private key is bad; a leaked public key is fine. But fingerprinting tools that run remotely have access to logs and analytics that can correlate which fingerprint belongs to which connecting IP. Browser-side keeps the metadata local.

Frequently asked questions

SHA-256 or MD5?
SHA-256 has been the OpenSSH default since 6.8 (2015). MD5 is shown for legacy. If you compare against modern tools, use SHA-256.
Why does my fingerprint differ from <code>ssh-keygen -lf</code>?
Almost always whitespace — a trailing space or comment may have slipped into your paste. Trim and retry. The fingerprint is a hash of the binary key data, not the comment.
What is the bit size for ed25519?
Ed25519 is fixed at 256-bit (the curve, not the key form). The "bit size" header is mostly meaningful for RSA / DSA / ECDSA. For ed25519, the security level is comparable to RSA-3000.
Is the key sent anywhere?
No. Parsing and hashing run in your browser. The key never leaves the page.
How do I verify a server fingerprint?
Get the server's fingerprint from a trusted out-of-band channel (admin, dashboard). Connect once and compare against the known_hosts entry your client offers. Match → safe to accept.

Related tools

Last updated: 2025-01-15