Linux Misc

Generating Ed25519 Secure SSH Keys

Using SSH keys to login to your Linux server allows you to have a much simpler password than this šŸ‘‡

Ja5H%4v^rGN#2bCPZgX6Uuwk&c7pJFVE

Which is asked every time we use sudo command. In my experience of 6 years handling Linux servers I have seen most servers have an RSA based SSH key.

Today, I have prepared the perfect šŸ‘Œ command to create a small & secure SSH key pair for your servers.

šŸ”’ Ed25519 SSH Keys

Ed25519 uses the EdDSA signature scheme & the Curve25519 key agreement scheme. Ed25519 SSH keys are much smaller and are much faster compared to RSA SSH keys šŸ‘‡

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDP8M8jPEvhNpzJYG6jW29Xz661W7+Mc8cVBlh+uCKHN [email protected]
id_ed25519.pub (SSH public key)

Here is the command in bash shell to generate a new Ed25519 SSH key with a comment of [email protected] šŸ‘‡

mkdir -p ~/.ssh && ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "$(whoami)@$(hostname)"

In case you're using the fish shell (which I do on my private server):

mkdir -p ~/.ssh && ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C \"(whoami)@(hostname)\"

šŸ’” Explanation

The -o flag saves the private key in the OpenSSH format rather than saving in the PEM format.

The -a <number> is the number of Key Derivative Function rounds used to verify the passphrase. The higher it is, the slow authentication will be, also taking longer making brute force attacks harder (if the private key is ever stolen).

-t <type> is the type of the key we want to create. In our case it is ed25519.

-f <file_path> is basically where to save our public-private key pair.

It is always good to use -C <comment> to have [email protected] so that we know where this particular key was generated. Ā I'd also recommend adding the date to it šŸ‘

šŸ”¦ The Gotcha

Although Ed25519 SSH keys are much faster & smaller in size, there are a good number of servers out there which are still relying on RSA (of really long lengths) due to compatibility with servers running old versions of OpenSSH, or lacking the hardware to cryptographically work with Ed25519 keys.

Thank you šŸ˜Š