Skip to content

Public Key vs Private Key: The Locked Box Analogy

I remember the first time I set up an SSH key. I had to generate a "public" one and a "private" one. I knew I was supposed to keep the private one secret and share the public one, but I didn't really understand why it worked.

If someone has my public key, can't they just reverse-engineer it to get my private key?

The answer is asymmetric encryption, and it's a bit like a magic padlock.

The Locked Box Analogy

Imagine Alice wants to send a secret letter to Bob.

1. The Public Key (The Padlock)

Bob sends Alice an open padlock. This is his Public Key. Anyone can see it, and anyone can have a copy of it.

2. The Private Key (The Key)

Bob is the only person in the world who has the physical key that opens that specific padlock. This is his Private Key.

3. The Exchange

Alice puts her letter in a box, snaps Bob's padlock shut, and sends the box across the world.

Even if a thief steals the box, they can't open it because they don't have the key. When the box arrives, Bob uses his Private Key to unlock it and read the letter.

      (Open Padlock)             (Locked Box)             (Key)
Alice <------------- Bob   Alice -------------> Bob ----> [Open!]
       Public Key                 Encrypted Data         Private Key

Wait, but why?

Why do we need this? In the old days (symmetric encryption), you and the other person had to agree on a password before you could talk. But how do you share the password securely? You’d have to meet in person or send a carrier pigeon.

Asymmetric encryption lets you establish a secure connection with a stranger you've never met, using only public information!

Common gotchas

  • I always forget that you can also use your private key to sign something. If you "lock" a message with your private key, anyone with your public key can open it and prove that only you could have sent it. This is how digital signatures work.
  • Watch out for your .pub files: In your ~/.ssh folder, the one ending in .pub is the one you share. The one without the extension is your secret! Never, ever share that one.

Try it yourself

You can see what your public key looks like:

cat ~/.ssh/id_rsa.pub
(Or whatever your key file is named). It's just a long string of gibberish—that's your "open padlock"!

Further reading

— Nadeem 🔐

Comments