To generate a robust SSH key, you have two main options: ED25519 and RSA. Both have their advantages, but ED25519 is generally recommended for its security and performance benefits.
Here's how to generate each type of key:
Generating an ED25519 Key
ED25519 keys are considered more secure and performant than RSA keys. They are compact, fast to generate, and offer better security with faster performance compared to DSA or ECDSA. To generate an ED25519 key, use the following command:
ssh-keygen -t ed25519 -C "<comment>"
Replace with a meaningful comment, such as your email address. This comment won't be exposed outside your machine. Consider it as a label to identify your ssh key.
This command generates an ED25519 key pair and saves it in the default .ssh directory within your home directory.
You'll be prompted to enter a passphrase for the key, which adds an extra layer of security.
If you prefer to use RSA, it's recommended to use a key size of at least 2048 bits for security. However, a 4096-bit key is even more secure and is recommended if you're concerned about the future of cryptographic security. To generate an RSA key with a 4096-bit size, use the following command:
ssh-keygen -t rsa -b 4096 -C "<comment>"
Additional Considerations
Security: ED25519 keys are more secure against PRNG (Pseudo-Random Number Generator) failures, making them a robust choice for SSH keys.
Performance: ED25519 keys are faster and more efficient than RSA keys, which can be a significant advantage in environments with high security requirements 2.
Compatibility: Ensure your system supports the key type you choose. ED25519 is supported in OpenSSH version 6.5 and later, while RSA keys are widely supported across all versions 2.
To check your ssh version, you can run the following command
$ssh -VOpenSSH_8.9 ...
Please note the ssh servers you log are the ones that need to support ED25519 keys, so please make sure to check on them before trying anything.
TL;DR; For generating a robust SSH key, ED25519 is generally the preferred choice due to its security and performance benefits. However, RSA keys with a 4096-bit size are also a secure option if you have specific compatibility requirements or preferences.
Great series of articles about git. Once the key pair has been generated, is it a good idea to change the permissions of directories and folders? For example chmod 700 && chmod 600 ~/.ssh/* && chmod 644 ~/.ssh/*.pub. Thx!
Smiling person, father of two, Husband, Senior Developer/Architect (in that exact order, it's important)Experience in development since 2004Linux user and advocate since 2001
We strongly recommend using only the ed25519 algorithm (an ECDSA variant). It is the most secure SSH key type widely available, and is very well supported in the majority of systems. If you are using an client or server without ed25519 support, you should consider upgrading where possible.
You can generate keys with the 'ssh-keygen' command: $ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key ($HOME/. ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in $HOME/.
The Ed25519 key is much shorter, so initially you might think it is less secure. But these keys use a totally different algorithm, so although the key has fewer characters, it is, for all practical purposes, as secure as the RSA key above.
To generate a robust SSH key, you have two main options: ED25519 and RSA. Both have their advantages, but ED25519 is generally recommended for its security and performance benefits.
It provides equivalent and usually better security than ECDSA and longer key length RSA keys. Its main advantages are small key sizes, fast key generation times, high performance and is resistance against side-channel attacks. Something to note though is its compatibility.
The only downside to Ed25519 is that it will fall to quantum computing before RSA 4096. Except nobody knows when that's gonna really happen. I've personally switched to ed25519-sk wherever I could. Same, the short key looks much nicer and both will fall to quantum anyhow.
The SSH-RSA is a weak encryption method. It is also already deprecated by OpenSSH and cannot be used unless enabled explicitly. This change impacts you immediately if you are using Azure DevOps Service and are using SSH-RSA keys to connect to repos through SSH.
Security. Both RSA and ECDSA can be configured to provide equal security levels. However, ECDSA requires significantly shorter private and public keys to achieve the same level of security that RSA can provide with long keys.
AES (Advanced Encryption Standard) — AES is the strongest encryption algorithm available. Fireware can use AES encryption keys of these lengths: 128, 192, or 256 bits.
The Advanced Encryption Standard (AES) is the trusted standard algorithm used by the United States government, as well as other organizations. Although extremely efficient in the 128-bit form, AES also uses 192- and 256-bit keys for very demanding encryption purposes.
Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
