This error occurs when SSH cannot write a key file to disk. Common causes include permission issues on the .ssh directory, insufficient disk space, or a read-only filesystem. The fix depends on identifying whether the problem is permissions, storage, or file system access.
The "key_write failed" error appears when OpenSSH (ssh-keygen, ssh-add, or SSH client) attempts to write or save a key file but fails at the filesystem level. This typically happens during key generation with ssh-keygen or when the SSH client tries to cache a key. Unlike authentication failures, this is a system-level I/O error—SSH has already decided what needs to be written but cannot complete the operation due to permissions, disk space, or filesystem restrictions.
SSH requires the .ssh directory to have restrictive permissions (700). Check current permissions:
ls -ld ~/.sshShould show: drwx------ (700)
If permissions are wrong, fix them:
chmod 700 ~/.sshIf the directory doesn't exist, create it:
mkdir -p ~/.ssh
chmod 700 ~/.sshThe .ssh directory must be owned by the current user, not root or another user. Check ownership:
ls -ld ~/.sshShould show: user user (your username for both owner and group)
If ownership is wrong, fix it:
chown -R $USER:$USER ~/.sshOr explicitly:
chown -R $(whoami):$(whoami) ~/.sshThis is especially important if you previously ran ssh commands with sudo.
Check if your filesystem has enough free space:
df -hLook for the partition containing /home (or ~). If it shows 100% or very close (95%+), you're out of space.
Free up space by:
# Find large files in home directory
du -sh ~/* | sort -h
# Remove unnecessary files
rm -rf ~/Downloads/* # or other large directories
rm -rf ~/.cache/pip # Python cacheThen retry the key operation.
If a key file already exists, it may have the immutable attribute set. Check:
lsattr ~/.ssh/id_rsa 2>/dev/null || echo "File doesn't exist or no extended attributes"If you see an 'i' flag (immutable), remove it:
sudo chattr -i ~/.ssh/id_rsaThen retry the operation.
If your .ssh directory has issues, generate the key elsewhere temporarily and move it:
# Generate in /tmp (always writable)
ssh-keygen -t rsa -b 4096 -f /tmp/id_rsa_temp
# Move to .ssh with correct permissions
mv /tmp/id_rsa_temp ~/.ssh/id_rsa
mv /tmp/id_rsa_temp.pub ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pubThis works around temporary permission issues.
On systems with SELinux (RHEL/CentOS) or AppArmor (Ubuntu), security policies might block writes. Check if either is active:
# Check SELinux (RHEL/CentOS)
getenforce
# Check AppArmor (Ubuntu)
aa-status 2>/dev/null || echo "AppArmor not installed"If SELinux shows "Enforcing", check the context:
ls -laZ ~/.sshIf the context is wrong, fix it:
restorecon -R ~/.sshFor AppArmor, check the profile:
sudo aa-status | grep -i sshIf the profile is in Enforce mode and blocking, consider switching to Complain mode temporarily for debugging.
If the filesystem is mounted read-only, no writes will succeed. Check:
mount | grep "on / "If you see "ro" (read-only), remount as read-write:
sudo mount -o remount,rw /Also check the home filesystem:
mount | grep "on /home"If it's read-only, remount it:
sudo mount -o remount,rw /homeAfter fixing permissions and disk space, generate a fresh key:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""Or for ED25519 (newer, recommended):
ssh-keygen -t ed25519 -f ~/.ssh/id_rsa -N ""The -N "" skips the passphrase prompt. Verify it created successfully:
ls -la ~/.ssh/id_rsa*Should show:
- -rw------- (600) id_rsa (private key)
- -rw-r--r-- (644) id_rsa.pub (public key)
Advanced troubleshooting:
WSL (Windows Subsystem for Linux): WSL filesystems sometimes have permission caching issues. If you've recently changed permissions or ownership, try restarting WSL:
# Exit WSL and run from Windows PowerShell:
wsl --shutdown
# Then re-enter WSL and retryNFS/Remote Home Directories: If your home directory is on a network mount (NFS, SMB), the mount options might restrict permissions. Check with your system administrator to ensure the mount includes write access.
Docker/Container Environments: Inside containers, if /home is mounted read-only or as a volume without proper permissions, SSH operations will fail. Ensure the volume is mounted with correct permissions:
docker run -it -v /home/user/.ssh:/home/user/.ssh:rw ...Debugging with strace: For obscure filesystem issues, trace the exact syscall failure:
strace -e openat,write ssh-keygen -t rsa -f ~/.ssh/test_key 2>&1 | tail -20This shows exactly which syscall is failing and why (EACCES = permission, ENOSPC = no space, EROFS = read-only fs).
Filesystem Corruption: If all else fails and you suspect disk corruption, run a filesystem check:
# For ext4 (requires unmounting)
sudo fsck.ext4 -y /dev/sdaX
# Check without repair first
sudo fsck.ext4 -n /dev/sdaXLoad key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH