When you try to SSH into a server and get WARNING: UNPROTECTED PRIVATE KEY FILE!, the fix is almost always a single command: chmod 600 ~/.ssh/id_rsa. The same mode protects your .env files and SSL private keys — anything that must stay readable to you and invisible to everyone else on the system. This guide explains why these files need it and how to set it without locking yourself out.
chmod 600 means rw-------. The owner gets read+write (6 = 4+2). Group and others get nothing (0). Use it for ~/.ssh/id_rsa, .env files, SSL private keys, and any file that must be completely private to its owner.
Need to calculate or convert a chmod mode?
Open Chmod Calculator →How 600 is calculated
rw------- — owner read + write (6), group and others no access at all (0). Green = granted, gray = denied.Owner: 6 = 4 (read) + 2 (write) + 0 = rw-
Group: 0 = 0 + 0 + 0 = ---
Others: 0 = 0 + 0 + 0 = ---
Result: rw-------The group and others columns are all zeros — no read, no write, no execute. Only the file's owner can interact with it.
Fixing the SSH "UNPROTECTED PRIVATE KEY FILE" error
When OpenSSH connects to a server, it checks whether your private key file is accessible to anyone other than you. If the group or others have any permission bits set, SSH refuses to use the key and prints:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/user/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible
by others.
This private key will be ignored.The fix:
# Fix the key file permissions
chmod 600 ~/.ssh/id_rsa
# The ~/.ssh directory itself must also be restricted
chmod 700 ~/.ssh
# Verify
ls -la ~/.ssh/
# drwx------ id_rsa
# -rw------- id_rsaNote: the ~/.ssh directory needs 700 (not 600), because a directory needs the execute bit to be entered. The private key file inside it needs 600.
Files that must be chmod 600
SSH private keys
Any file in ~/.ssh/ that is a private key: id_rsa, id_ed25519, id_ecdsa, and any key you download from cloud providers (e.g. AWS .pem files). OpenSSH enforces 600 strictly — it will not use a key with looser permissions.
chmod 600 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_ed25519
chmod 600 ~/downloads/my-server.pem.env files
A .env file typically contains database passwords, API keys, and other secrets. If it is readable by others (644 or 666), any user on the system can read those credentials — a major risk on shared hosting. Set it to 600:
chmod 600 .envIf your web server process needs to read .env, make the web server user the owner (chown www-data .env) rather than widening the permissions.
SSL / TLS private keys
Private keys for HTTPS certificates (e.g. privkey.pem in Let's Encrypt setups) must be unreadable by other users. The web server process reads them as root or a privileged user before dropping privileges:
chmod 600 /etc/letsencrypt/live/example.com/privkey.pemchmod 600 vs similar modes
| Mode | Symbolic | Typical use |
|---|---|---|
| 600 | rw------- | SSH private keys, .env, SSL private keys |
| 400 | r-------- | Read-only secrets (prevents accidental overwrite) |
| 640 | rw-r----- | Config files readable by a specific group |
| 644 | rw-r--r-- | Public config files, web content |
| 700 | rwx------ | Private directories (e.g. ~/.ssh/) |
600 vs 400: Both keep group and others out. The difference is that 400 removes the owner's write bit too, preventing accidental overwriting. For SSH keys, both work. 400 is slightly more defensive.
The chmod -R 600 trap
Never run chmod -R 600 on a directory. The -R flag recurses into subdirectories and applies 600 to them too — stripping the execute bit that directories need to be traversed. The result: you can no longer cd into those directories or access any files inside them.
# DANGEROUS — do not do this
chmod -R 600 ~/.ssh # locks you out of your own SSH directory
# CORRECT — set files to 600, directory to 700
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/authorized_keys # public key file — readable is fineFrequently Asked Questions
What does chmod 600 mean?
chmod 600 sets rw-------. The owner can read and write (6 = 4+2). The group and all other users have zero access. It is the required permission for SSH private keys, .env files, and SSL private keys.
Why does SSH say WARNING: UNPROTECTED PRIVATE KEY FILE?
OpenSSH refuses to use a private key if the group or others have any read or write access. Fix it with chmod 600 ~/.ssh/id_rsa. Also make sure the ~/.ssh directory itself is chmod 700. OpenSSH enforces these permissions for security — a key readable by other users on the system could be silently copied.
Should .env files be chmod 600 or 644?
.env files must be 600 (or at most 640 if a group process needs to read them). A .env file at 644 is readable by every user on the system. Since .env files typically contain database passwords and API keys, world-readable permissions are a serious security risk — especially on shared hosting.
What is the difference between chmod 600 and chmod 400?
chmod 600 gives the owner read and write (rw-------). chmod 400 gives the owner read only (r--------). For SSH keys, either satisfies OpenSSH's requirements. 400 is slightly more defensive because it prevents accidental overwriting. 600 is the more common convention.
Is it dangerous to use chmod -R 600 on a directory?
Yes. chmod -R 600 removes the execute bit from all directories in the tree. Without the execute bit, a directory cannot be entered and its files become inaccessible. If you run this on ~/.ssh or your home directory you can lock yourself out of SSH. Always set directories and files separately: chmod 700 ~/.ssh and chmod 600 ~/.ssh/id_rsa.
Calculate any chmod permission instantly
Open Chmod Calculator →Related permission guides
- chmod 755 explained — for directories and executable scripts
- chmod 644 explained — the standard for web files
- chmod 777: why it's a security risk
- chmod 775 for Laravel and WordPress directories