Overview of how SSH key pairs authenticate a connection

When the client is ready to communicate with the server via an SSH connection, such as SFTP, it begins by making an authentication request from the server. The server encrypts a message using the public key and sends the message to the client. The client decrypts the message using the private key and creates a signature that contains the message the server encrypted. That signature is passed to the server to verify the keys and authenticate the connection.

A passphrase is an optional string used to protect the private key. When the private key is created with a passphrase, the key can decrypt messages only when the passphrase is also provided, similar to a password. This provides an extra level of security in the event the private key is compromised.