RSA is one of the most widely used asymmetric encryption algorithms. Asymmetric means it uses a pair of mathematically related keys: a public key and a private key. Data encrypted with the public key can only be decrypted with the private key. A message signed with the private key can be verified with the public key. This mathematical relationship is what makes HTTPS, SSH, JWT signing, and digital signatures work.
The Public and Private Key Pair
The public key can be shared with anyone. You can publish it on your website, email it to collaborators, or embed it in a certificate. Anyone who has your public key can encrypt a message that only you can decrypt, or verify a signature that only you could have created.
The private key must be kept secret. If the private key is exposed, an attacker can decrypt any message encrypted with the corresponding public key and forge signatures that appear to come from you. Treat a private key like a master password.
How RSA Encryption Works
The mathematical foundation of RSA is the difficulty of factoring large numbers. Two large prime numbers are multiplied together to produce the public modulus. The encryption exponent (public key) and decryption exponent (private key) are derived from these primes using the Chinese Remainder Theorem. Factoring the public modulus back into the original primes requires exponential time, making it computationally infeasible with current hardware for sufficiently large keys.
Key Sizes
RSA security is measured in bits. The bit count refers to the length of the public modulus. A 2048-bit key is the current minimum recommended for general use. 4096-bit keys provide a larger security margin at the cost of significantly slower key generation and operations. Keys shorter than 2048 bits (including the once-common 1024-bit keys) are no longer considered secure.
Common Uses
HTTPS and TLS: RSA keys are used in the TLS handshake to authenticate the server and negotiate the symmetric encryption key used for the session.
SSH: RSA key pairs are used for passwordless SSH authentication. You place the public key on the server and keep the private key on your local machine.
JWT signing: RS256 (RSA-SHA256) uses a private key to sign JWTs and the corresponding public key to verify them.
Code signing: software publishers sign releases with their private key so users can verify the software has not been tampered with.
Using the DevHexLab RSA Key Generator
Open the tool at /tools/security/rsa-key-generator. Choose the key size (2048 or 4096 bits) and click Generate. The tool produces PEM-encoded public and private keys in your browser. Download both immediately. Store the private key in a secure location (a hardware security module, an encrypted vault, or a secrets manager). Share only the public key.
Frequently Asked Questions
Should I use RSA or elliptic curve cryptography?
Elliptic curve cryptography (ECDSA, Ed25519) provides equivalent security to RSA with much smaller key sizes and faster operations. For new systems, Ed25519 is often the better choice for SSH keys and JWT signing. RSA remains widely supported and is required for compatibility with some older systems.
Can I regenerate the same key pair?
No. Each generation produces a new random key pair. The private key cannot be recovered once lost.
What is PEM format?
PEM (Privacy Enhanced Mail) is a Base64-encoded format with header and footer lines like BEGIN RSA PRIVATE KEY. It is the standard format for storing and exchanging cryptographic keys in most tools and platforms.
Generate a key pair, protect the private key, and share the public key freely.