RSA Key Generator
Generate RSA-2048, RSA-3072, or RSA-4096 key pairs in PEM format using the browser's Web Crypto API. Keys never leave your device.
Keys are generated entirely in your browser using the Web Crypto API and are never transmitted or stored.
An RSA key generator creates a mathematically linked pair of cryptographic keys: a public key and a private key, used to encrypt data, verify digital signatures, and authenticate SSH connections. Developers and system administrators use RSA key pairs to secure web servers, sign software releases, and establish encrypted communication channels. AlteredIdea's RSA key generator uses the Web Crypto API and runs entirely in your browser: your private key is never transmitted to any server.
RSA key generation in the browser
RSA (Rivest–Shamir–Adleman) is the most widely deployed asymmetric cryptography algorithm. A key pair consists of a public key: which you share freely: and a private key that must remain secret. Data encrypted with the public key can only be decrypted with the matching private key.
This tool uses the browser's native Web Crypto API to generate keys directly on your device. There is no server-side processing, no data upload, and no logging. The exported PEM files are in standard SPKI/PKCS#8 format, compatible with OpenSSL, Node.js, Java, Python, and virtually every cryptographic library.
Step-by-step guide
- 1Choose a key size
Select 2048, 3072, or 4096 bits. 2048-bit is standard for most uses; 4096-bit provides extra security at the cost of slower generation. - 2Select an algorithm
Choose RSA-OAEP for encryption/decryption use cases, or RSASSA-PKCS1-v1_5 for signing and verification. - 3Click Generate Key Pair
The browser's Web Crypto API generates the key pair entirely on your device. No data is sent to any server. - 4Copy or download the public key
Use the Copy button or download a .pem file. The public key can be shared freely with anyone who needs to encrypt data to you. - 5Secure the private key
Download the private key and store it securely. Never share it. It is required to decrypt data encrypted with your public key, or to sign messages.
Related Tools
Hash Generator
Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files. All hashes shown simultaneously with one-click copy.
HMAC Generator
Generate HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 message authentication codes with a secret key.
AES Encrypt / Decrypt
Encrypt and decrypt text with AES-256-GCM. Password-derived key via PBKDF2. Output includes salt and IV: fully self-contained.
Secure Token Generator
Generate cryptographically random tokens in hex, Base64, Base64URL, alphanumeric, or UUID v4 format.
Frequently Asked Questions
- Are the generated keys cryptographically secure?
- Yes. Keys are generated using the browser's built-in Web Crypto API (SubtleCrypto), which uses the operating system's CSPRNG and is considered cryptographically secure for production use.
- Does any key data leave my device?
- No. Key generation and export happen entirely in-browser. No network requests are made. The keys are never transmitted to any server.
- What is the difference between RSA-OAEP and RSASSA-PKCS1-v1_5?
- RSA-OAEP (Optimal Asymmetric Encryption Padding) is used for encrypting data with a public key and decrypting with the private key. RSASSA-PKCS1-v1_5 is used for creating digital signatures with the private key and verifying them with the public key.
- Which key size should I choose?
- 2048-bit RSA is currently the minimum recommended by NIST for most applications and is widely supported. 3072-bit offers a security margin through 2030+. 4096-bit provides the highest security but is slower to generate and use.
- What PEM format is used?
- Public keys are exported as SPKI (SubjectPublicKeyInfo) and private keys as PKCS#8, both base64-encoded with standard PEM headers. These formats are compatible with OpenSSL, Node.js, Java, and most cryptographic libraries.
- Can I use these keys with OpenSSL?
- Yes. The generated PEM files are in standard formats that OpenSSL can read. For example: openssl rsa -in key.private.pem -check to verify the private key.
- Why might 4096-bit generation be slow?
- Generating a 4096-bit RSA key requires finding large prime numbers, which is computationally intensive. Browsers may take several seconds. 2048-bit generation is nearly instant.
- How do I use the key pair for SSH?
- The PKCS#8/SPKI format from this tool is not directly usable for SSH, which requires OpenSSH format. You can convert using: ssh-keygen -p -m PEM -f key.private.pem: or use a dedicated SSH key generator.
- What should I do with the private key?
- Store the private key in a secure location such as a password manager, hardware security module, or encrypted filesystem. Never commit it to version control or share it publicly.
- Can I regenerate a key pair to get a new one?
- Yes. Click Generate Key Pair again to create a fresh key pair. Each generation produces a unique, unrelated key pair.
AlteredIdea vs alternatives
vs server-side tools: Everything runs in your browser: your data never leaves your device.
vs command-line tools: No setup needed. Works instantly in any browser.
vs paid tools: Completely free, no account required.