Modern SSH client family for Android, Linux, macOS, Windows, and BSD. Open-source and privacy-focused.

SSH Key Management

Universal key parser, in-app generation, hardware-backed storage. Use the keys you already have, or make new ones in the app.

🔑 Supported Key Types

  • RSA — 2048, 3072, 4096-bit
  • ECDSA — NIST P-256, P-384, P-521
  • Ed25519 — modern elliptic curve, recommended for new keys
  • DSA — legacy support for old hosts

📥 Supported Import Formats

TabSSH ships a universal SSH key parser (SSHKeyParser, ~850 lines) with auto-format detection.

  • OpenSSH — modern openssh-key-v1 format (default for ssh-keygen)
  • PEM (PKCS#1) — traditional -----BEGIN RSA PRIVATE KEY----- format
  • PKCS#8 — universal format, encrypted or unencrypted
  • PuTTY v2 / v3.ppk format from PuTTY / WinSCP

Encrypted keys (passphrase-protected) are supported across all formats. You'll be prompted for the passphrase on import.

📂 Importing a Key

From the connections list → menu → Manage Keys (opens KeyManagementActivity):

  1. Import from file — picks a key file via Android's Storage Access Framework. TabSSH resolves the real filename via DISPLAY_NAME (so you don't end up with msf:1000003152 as the key name) and asks you to confirm the label.
  2. Paste a key — paste OpenSSH/PEM text directly into a dialog, then name it.
  3. Generate a new key pair — pick the type and size; passphrase optional but recommended.

⚙️ Generating a Key In-App

  • Pick the type: RSA / ECDSA / Ed25519 / DSA
  • For RSA: pick the bit size (2048 / 3072 / 4096)
  • For ECDSA: pick the curve (P-256 / P-384 / P-521)
  • Add an optional passphrase (encrypts the private key on disk)
  • The activity shows the public key for you to copy and add to ~/.ssh/authorized_keys on the server

📜 OpenSSH User Certificates (Wave 2.2)

Beyond raw keys, TabSSH supports OpenSSH user certificate authentication — the kind generated by ssh-keygen -s against a CA.

  • Each StoredKey can carry an optional certificate field (the *-cert.pub line).
  • Useful for fleets where servers trust a CA instead of individual user keys.
  • This is OpenSSH cert-format — not X.509.

🔐 How TabSSH Stores Keys

  • Private key bytes are AES-256-GCM encrypted in SharedPreferences via the Android Keystore.
  • The Keystore key is hardware-backed on supported devices (most modern phones have a TEE / secure element).
  • Optional biometric unlock gates access on top of that.
  • The Room database stores only metadata: name, type, fingerprint, comment, optional certificate. The private bytes are never in the DB.
  • SHA-256 fingerprints are computed on import and shown wherever a key is referenced.

📤 Exporting a Key

  • From the key management screen → long-press a key → Export Public Key.
  • Public key is shown in OpenSSH authorized_keys format — copy and paste straight into your server.
  • Private-key export is also available (PEM or OpenSSH format) for migration. You'll need the passphrase if the key was encrypted.
Back to Documentation SSH Config →