DeepDive

SSH Key Migration Guide

CybersecurityFriday, March 27, 2026·5 min read

When upgrading to a new Mac laptop, your SSH access to remote servers depends on your private key, not the machine itself. The servers already have your public key in their authorized_keys file. To regain access from a new machine, you need to transfer your entire SSH key pair…

SSH Key Migration Guide

Transferring SSH Keys to a New Mac

Prepared by Zeya | March 2026

Overview

When upgrading to a new Mac laptop, your SSH access to remote servers depends on your private key, not the machine itself. The servers already have your public key in their authorized_keys file. To regain access from a new machine, you need to transfer your entire SSH key pair and configuration.

This guide walks you through the complete process step by step.

Understanding Your SSH Files

Before migrating, it helps to know what each file in your ~/.ssh/ directory does:

FileDescription
id_rsaPrivate key (secret) — this is what grants access
id_rsa.pubPublic key — already installed on your servers
configSSH shortcuts and per-host settings
known_hostsServer fingerprints (avoids trust prompts)
authorized_keysServer-side file listing trusted public keys

⚠️ Important

The private key (id_rsa or id_ed25519) is the critical file. Without it, you cannot authenticate.

Never share your private key publicly. Treat it like a password.

Phase 1: Backup from Current Mac

Step 1: Check Your Existing Keys

Open Terminal on your current Mac and list the contents of your SSH directory:

ls -la ~/.ssh/

You should see files like id_rsa, id_rsa.pub (or id_ed25519 and id_ed25519.pub if you used a newer key type), along with config and known_hosts.

Step 2: Create a Secure Backup

You have several options for transferring the files. Choose whichever is most convenient:

Option A: ZIP Archive (for USB or AirDrop)

# Create a zip of the entire .ssh directory

zip -r ~/Desktop/ssh_backup.zip ~/.ssh/

Transfer the zip file to your new Mac via USB drive, AirDrop, or any secure method.

Option B: Direct Copy via AirDrop

You can also AirDrop the individual files directly. In Finder, press Cmd+Shift+G and navigate to ~/.ssh/ to access the folder.

Option C: Secure Copy over Network

If both Macs are on the same network:

# From the NEW Mac, pull files from the old Mac

scp -r olduser@old-mac-ip:~/.ssh/ ~/.ssh/

🔒 Security Note

Avoid transferring SSH keys via email, cloud storage, or messaging apps.

Use direct transfer methods (USB, AirDrop, or SCP) to minimize exposure.

Phase 2: Setup on New Mac

Step 1: Place the SSH Files

Copy the backup to the correct location on your new Mac:

# If you used the zip method

unzip ~/Downloads/ssh_backup.zip -d ~/

# If you copied the folder directly, place it at ~/.ssh/

Step 2: Fix File Permissions (Critical)

SSH is very strict about file permissions. If they are wrong, SSH will refuse to use your keys. Run all of the following commands:

# Set directory permission

chmod 700 ~/.ssh

# Set private key permission (read/write owner only)

chmod 600 ~/.ssh/id_rsa

# Or if using ed25519:

# chmod 600 ~/.ssh/id_ed25519

# Set public key permission

chmod 644 ~/.ssh/id_rsa.pub

# Or: chmod 644 ~/.ssh/id_ed25519.pub

# Set config file permission (if exists)

chmod 600 ~/.ssh/config

# Set known_hosts permission

chmod 644 ~/.ssh/known_hosts

⚠️ Why This Matters

If your private key file has permissions wider than 600, SSH will print:

"WARNING: UNPROTECTED PRIVATE KEY FILE!" and refuse to connect.

Getting these permissions right is the most common pitfall in key migration.

Step 3: Load Key into macOS SSH Agent

Start the SSH agent and add your key to the macOS Keychain so you are not prompted for a passphrase on every connection:

eval "$(ssh-agent -s)"

ssh-add --apple-use-keychain ~/.ssh/id_rsa

Step 4: Configure Automatic Key Loading

Add the following to your ~/.ssh/config file (create it if it does not exist) so macOS loads the key automatically on every login:

Host *

AddKeysToAgent yes

UseKeychain yes

IdentityFile ~/.ssh/id_rsa

If you use ed25519 keys, replace id_rsa with id_ed25519 in the IdentityFile line.

Step 5: Test the Connection

Try connecting to one of your servers:

ssh user@your-server-ip

If the connection succeeds without asking for a password, your migration is complete.

Phase 3: Post-Migration Cleanup

Verify All Servers

Test each server you regularly access to ensure they all work. If you have aliases configured in your SSH config, test those as well:

# Test by alias (if configured in ~/.ssh/config)

ssh myserver1

ssh myserver2

# Or by IP

ssh user@192.168.1.100

Clean Up the Old Mac

Once everything is confirmed working on the new Mac, securely remove the keys and any backup files from the old machine (especially if you plan to sell, give away, or recycle it):

# On the OLD Mac - remove SSH keys

rm -rf ~/.ssh/

# Also delete any backup zip files

rm -f ~/Desktop/ssh_backup.zip

💡 Pro Tip

If you manage many servers, consider keeping a list of server aliases in your

~/.ssh/config file. This way, migrating also preserves your shortcuts:

Host mac-mini-1

HostName 192.168.1.10

User hanif

IdentityFile ~/.ssh/id_rsa

Troubleshooting

Permission Denied (publickey)

  • Verify your private key permissions are 600: chmod 600 ~/.ssh/id_rsa
  • Ensure the key is loaded: ssh-add -l
  • Check verbose output: ssh -vvv user@server

Agent Has No Identities

  • Re-add the key: ssh-add --apple-use-keychain ~/.ssh/id_rsa
  • Verify the SSH agent is running: eval "$(ssh-agent -s)"

Known Hosts Warning

If you get a warning about a host key mismatch (e.g., after a server OS reinstall), you can remove the offending entry:

ssh-keygen -R your-server-ip

Wrong Key Type

If your servers expect ed25519 keys but you only copied RSA keys (or vice versa), check which key type your server has in its authorized_keys:

# On the server, check what keys are authorized

cat ~/.ssh/authorized_keys

Then ensure you copied the matching private key to your new Mac.

Quick Reference: Permission Cheat Sheet

File / DirectoryPermissionMeaning
~/.ssh/ (directory)700Owner only: read, write, execute
Private key (id_rsa)600Owner only: read, write
Public key (id_rsa.pub)644Owner: read/write, Others: read
config600Owner only: read, write
known_hosts644Owner: read/write, Others: read

✅ Summary

1. Copy the entire ~/.ssh/ folder from old Mac to new Mac

2. Fix permissions (chmod 700, 600, 644 as appropriate)

3. Load key into macOS Keychain (ssh-add --apple-use-keychain)

4. Configure auto-loading in ~/.ssh/config

5. Test connections, then clean up old machine

No changes are needed on any of your servers!