To generate a robust SSH key, you have two main options: ED25519 and RSA. Both have their advantages, but ED25519 is generally recommended for its security and performance benefits.
Here's how to generate each type of key:
Generating an ED25519 Key
ED25519 keys are considered more secure and performant than RSA keys. They are compact, fast to generate, and offer better security with faster performance compared to DSA or ECDSA. To generate an ED25519 key, use the following command:
ssh-keygen -t ed25519 -C "<comment>"
Replace with a meaningful comment, such as your email address. This comment won't be exposed outside your machine. Consider it as a label to identify your ssh key.
This command generates an ED25519 key pair and saves it in the default .ssh directory within your home directory.
You'll be prompted to enter a passphrase for the key, which adds an extra layer of security.
Why using a passphrase to secure your SSH key ?
Christophe Colombier ・ Apr 6
Generating an RSA Key
If you prefer to use RSA, it's recommended to use a key size of at least 2048 bits for security. However, a 4096-bit key is even more secure and is recommended if you're concerned about the future of cryptographic security. To generate an RSA key with a 4096-bit size, use the following command:
ssh-keygen -t rsa -b 4096 -C "<comment>"
Additional Considerations
- Security: ED25519 keys are more secure against PRNG (Pseudo-Random Number Generator) failures, making them a robust choice for SSH keys.
Performance: ED25519 keys are faster and more efficient than RSA keys, which can be a significant advantage in environments with high security requirements 2.
Compatibility: Ensure your system supports the key type you choose. ED25519 is supported in OpenSSH version 6.5 and later, while RSA keys are widely supported across all versions 2.
To check your ssh version, you can run the following command
$ ssh -V
OpenSSH_8.9 ...
Please note the ssh servers you log are the ones that need to support ED25519 keys, so please make sure to check on them before trying anything.
TL;DR; For generating a robust SSH key, ED25519 is generally the preferred choice due to its security and performance benefits. However, RSA keys with a 4096-bit size are also a secure option if you have specific compatibility requirements or preferences.
Top comments (2)
Great series of articles about git. Once the key pair has been generated, is it a good idea to change the permissions of directories and folders? For example
chmod 700 && chmod 600 ~/.ssh/* && chmod 644 ~/.ssh/*.pub
. Thx!I think it's the default behavior of ssh-keygen 🤔