DEV Community

Cover image for How to generate a secure and robust SSH key in 2024
Christophe Colombier
Christophe Colombier

Posted on

How to generate a secure and robust SSH key in 2024

To generate a robust SSH key, you have two main options: ED25519 and RSA. Both have their advantages, but ED25519 is generally recommended for its security and performance benefits.

Here's how to generate each type of key:

Generating an ED25519 Key

ED25519 keys are considered more secure and performant than RSA keys. They are compact, fast to generate, and offer better security with faster performance compared to DSA or ECDSA. To generate an ED25519 key, use the following command:



ssh-keygen -t ed25519 -C "<comment>"


Enter fullscreen mode Exit fullscreen mode

Replace with a meaningful comment, such as your email address. This comment won't be exposed outside your machine. Consider it as a label to identify your ssh key.

This command generates an ED25519 key pair and saves it in the default .ssh directory within your home directory.

You'll be prompted to enter a passphrase for the key, which adds an extra layer of security.

Generating an RSA Key

If you prefer to use RSA, it's recommended to use a key size of at least 2048 bits for security. However, a 4096-bit key is even more secure and is recommended if you're concerned about the future of cryptographic security. To generate an RSA key with a 4096-bit size, use the following command:



ssh-keygen -t rsa -b 4096 -C "<comment>"


Enter fullscreen mode Exit fullscreen mode

Additional Considerations

  • Security: ED25519 keys are more secure against PRNG (Pseudo-Random Number Generator) failures, making them a robust choice for SSH keys.
  • Performance: ED25519 keys are faster and more efficient than RSA keys, which can be a significant advantage in environments with high security requirements 2.

  • Compatibility: Ensure your system supports the key type you choose. ED25519 is supported in OpenSSH version 6.5 and later, while RSA keys are widely supported across all versions 2.

To check your ssh version, you can run the following command



$ ssh -V
OpenSSH_8.9 ...


Enter fullscreen mode Exit fullscreen mode

Please note the ssh servers you log are the ones that need to support ED25519 keys, so please make sure to check on them before trying anything.

TL;DR; For generating a robust SSH key, ED25519 is generally the preferred choice due to its security and performance benefits. However, RSA keys with a 4096-bit size are also a secure option if you have specific compatibility requirements or preferences.

Top comments (2)

Collapse
 
cr0t0 profile image
cr0t0

Great series of articles about git. Once the key pair has been generated, is it a good idea to change the permissions of directories and folders? For example chmod 700 && chmod 600 ~/.ssh/* && chmod 644 ~/.ssh/*.pub. Thx!

Collapse
 
ccoveille profile image
Christophe Colombier

I think it's the default behavior of ssh-keygen 🤔