Levelling-up your SSH Private Key from RSA to ED25519 + Symmetric Password Protection

web3coach profile image Lukas Lukac ・2 min read

Today I had to generate a separate Private and Public Key in order to access my new blockchain node so I took the opportunity to setup a fresh, unique key pair that are also protected by 2FA authentication, interactive password. Later I will take it a step further and protect it with a Yubikey.

Even though RSA was a standard for asymetric SSH keys for years, keys below 2048-bit length are not considered safe anymore due to evolution in hardware. It's time to upgrade to a stronger, elliptic curve algorithm, ED25519 which is faster, more secure and shorter in bytes.


Having a basic understanding of SSH and ssh-keygen installed.

Step 1/3 - Generate a new ED25519 Priv Key

ssh-keygen -t ed25519 -C "lukas@gmailorwhatever.com"

thank you Andrew, my dear colleague for the command recommendation!

You will be prompted to enter the key destination path,

Enter file in which to save the key: 

Choose a passphrase (DO NOT LEAVE BLANK).

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Your private key has been saved in /Users/enchanterio/.ssh/id_ed25519_devto_tutorial.

Your public key has been saved in /Users/enchanterio/.ssh/id_ed25519_devto_tutorial.pub.

The key fingerprint is:
SHA256:qxCxjp6thlj59cjQKy+qTrPnlTNfCq/RKNP+bYCwyA8 lukas@gmailorwhatever.com

The key's randomart image is:

+--[ED25519 256]--+
|                 |
|                 |
|    .            |
|   . o           |
|. ..=.. S        |
| Eo+oo*. .       |
|.=++o& =o.       |
|+.+=O.@.=.       |
|o=B+.*==..       |

Step 2/3 - Configuring SSH agent

Connect to a server, add the content of your new local Pub Key cat ~/.ssh/id_ed25519_devto_tutorial.pub to the server's .ssh/authorized_keys file and remove the old RSA Key:

ignore that the key on the image is different from the above in this tutorial, I took the screenshot before I wrote the tutorial

Disconnect from the server. Now we will do an additional trick to associate the specific IP address with this new Private Key without affecting rest of the SSH connections based on the old RSA Key.

vim ~/.ssh/config
Host blockchain-node
        HostName <YOUR_IP_ADDRESS>
        User root
        IdentityFile /Users/enchanterio/.ssh/id_ed25519_devto_tutorial

Step 3/3 - Dialing the connection


ssh blockchain-node

You will be prompted to unlock your SSH key by password:

Enter passphrase for key '/Users/enchanterio/.ssh/id_ed25519_devto_tutorial':
<type pwd...>

Done! Connected. Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-43-generic x86_64)

And the server you just connected to, authenticated you against your new password protected, ED25519 Elliptic Private Key. Gg.

Posted on by:

web3coach profile

Lukas Lukac


Coaching 33/1000 devs blockchain and how to build real-world Ethereum apps of tomorrow's job market using Go + JS. Go -> https://web3.coach


markdown guide