If you're still generating RSA keys with ssh-keygen -t rsa, you're using a 1977 algorithm when a 2011 algorithm (Ed25519) is faster, more secure, and produces shorter keys. The inertia of defaults keeps RSA in use, but there's no good reason for new keys.
The key types
RSA: The oldest widely-used public key algorithm. Recommended minimum key size is 3072 bits (2048 is still common but increasingly discouraged). Key generation is slow. Signing is slow. But it's universally supported.
ECDSA: Elliptic curve DSA. Shorter keys (256 bits provides equivalent security to RSA 3072). Faster operations. But the NIST curves it uses (P-256, P-384) have been criticized for potential backdoors in the curve parameters.
Ed25519: Based on Curve25519 (Daniel Bernstein). 256-bit key. Fastest signing and verification. Deterministic signatures (no random number needed during signing, eliminating an entire class of implementation bugs). No NIST curve concerns. Supported by OpenSSH since 2014 (version 6.5).
Why Ed25519 wins
Key size: An Ed25519 public key is 68 characters in base64. An RSA-4096 public key is 716 characters. In authorized_keys files with hundreds of keys, this matters.
Performance: Ed25519 signing is approximately 20x faster than RSA-4096 and 5x faster than ECDSA-P256. Verification is similarly faster. For SSH, the difference is imperceptible for a single connection but meaningful for high-throughput systems (git servers, automation systems handling thousands of connections).
Security: Ed25519 provides approximately 128 bits of security. RSA-3072 provides approximately 128 bits. But Ed25519 achieves this with simpler, more auditable code and no random number dependency during signing. ECDSA key generation bugs (insufficient entropy) have led to real-world private key recovery. Ed25519's deterministic signature prevents this entire class of attack.
Generating keys
# The recommended way
ssh-keygen -t ed25519 -C "your_email@example.com"
# If you need RSA (legacy system compatibility)
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
The -C flag adds a comment (typically your email) to identify the key. Without it, the comment defaults to user@hostname.
Key management best practices
Use a unique key per device: If one device is compromised, you revoke that device's key without affecting others. Using the same key on laptop, desktop, and phone means a compromised phone exposes all three.
Use a passphrase: The passphrase encrypts the private key on disk. Without a passphrase, anyone who copies your private key file can authenticate as you. Use ssh-agent to cache the decrypted key in memory so you don't type the passphrase for every connection.
Rotate keys periodically: Not because the cryptography weakens, but because key hygiene degrades over time. Authorized_keys files accumulate entries from former employees, decommissioned laptops, and forgotten automation accounts.
Browser-based generation
A browser-based key generator uses the Web Crypto API to generate cryptographic key pairs client-side. The private key never leaves the browser.
const keyPair = await crypto.subtle.generateKey(
{ name: 'Ed25519' },
true,
['sign', 'verify']
);
Note: Web Crypto's Ed25519 support is relatively recent. Older browsers may not support it, in which case a JavaScript implementation (like tweetnacl) provides the same functionality.
I built an SSH key generator at zovo.one/free-tools/ssh-key-generator that generates Ed25519 and RSA key pairs entirely in your browser. Nothing is uploaded, nothing is stored. Generate, copy, and configure your servers.
I'm Michael Lip. I build free developer tools at zovo.one. 500+ tools, all private, all free.
Top comments (0)