SSH Key Fingerprint Viewer

An SSH key fingerprint is a short, unique identifier derived from a public key using a cryptographic hash function (typically MD5 or SHA256). It serves as a human-verifiable checksum that helps you confirm the identity of a server or key. When connecting to an SSH server for the first time, the fingerprint is displayed so you can verify it matches the expected value — preventing man-in-the-middle attacks.

MD5 fingerprints produce a 128-bit (16-byte) hash displayed as 16 colon-separated hex pairs (e.g., MD5:de:ad:be:ef:...). They were the default in OpenSSH for many years but are now considered legacy due to known MD5 collision vulnerabilities.

SHA256 fingerprints produce a 256-bit (32-byte) hash displayed as a Base64-encoded string prefixed with SHA256: (e.g., SHA256:uV8s...). Since OpenSSH 6.8 (2015), SHA256 has been the default fingerprint algorithm and is recommended for all modern use.

On Linux/macOS: Run cat ~/.ssh/id_rsa.pub (or id_ed25519.pub, id_ecdsa.pub) in your terminal, then copy the output.

On Windows (PowerShell): Run Get-Content ~\.ssh\id_rsa.pub or use type %userprofile%\.ssh\id_rsa.pub in Command Prompt.

From a server's host key: Use ssh-keyscan -t rsa [hostname] to retrieve the public key, or check /etc/ssh/ssh_host_rsa_key.pub on the server.

When you first connect to a server via SSH, the client displays the host's fingerprint. You should compare this against a trusted source (e.g., the server administrator provided it via a secure channel, or it's published on the server's documentation page). This tool helps you compute the fingerprint from a known public key so you can cross-check. Never blindly accept an unknown fingerprint — this is a critical security step to prevent MITM attacks.

This tool supports all common SSH public key formats, including:
RSA (ssh-rsa) — the most widely used legacy type, 2048–4096 bits;
ED25519 (ssh-ed25519) — modern, fast, and recommended for new keys;
ECDSA (ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521) — elliptic curve keys;
DSA (ssh-dss) — deprecated but still recognized.

If you encounter a key type that isn't recognized, the tool will still attempt to decode the Base64 payload and compute its fingerprint.

Absolutely safe. All computation happens entirely in your browser using JavaScript. Your key data is never uploaded to any server, transmitted over the network, or stored anywhere. The fingerprint calculation (both MD5 and SHA256) runs locally using the Web Crypto API and a client-side MD5 implementation. You can even disconnect from the internet after loading the page — the tool will continue to work. Never paste your private key — this tool is designed for public keys only.

If you're comparing fingerprints, ensure you're using the same hash algorithm. By default, modern ssh-keygen uses SHA256 (ssh-keygen -lf key.pub). To get the MD5 fingerprint on the command line, use ssh-keygen -E md5 -lf key.pub. Also note that the fingerprint is computed on the raw binary key data (the Base64-decoded portion between the key type and comment), not on the entire line including the type prefix.

Yes! Once the page loads, all processing is done locally. You can bookmark this tool, save the HTML file, or use it in an air-gapped environment. No external API calls, no analytics tracking the key data, and no CDN dependencies beyond the initially loaded Bootstrap and Font Awesome assets (which could also be self-hosted).