Published in


Upgrade Your SSH Key to Ed25519

Upgrade your SSH key! Photo by Matt Artz on Unsplash

Check Available SSH Keys on Your Computer

To check all available SSH keys on your computer, run the following command on your terminal:

for key in ~/.ssh/id_*; do ssh-keygen -l -f "${key}"; done | uniq
  • 🚨 DSA: It’s unsafe and even no longer supported since OpenSSH version 7, you need to upgrade it!
  • ⚠️ RSA: It depends on key size. If it has 3072 or 4096-bit length, then you’re good. Less than that, you probably want to upgrade it. The 1024-bit length is even considered unsafe.
  • 👀 ECDSA: It depends on how well your machine can generate a random number that will be used to create a signature. There’s also a trustworthiness concern on the NIST curves that being used by ECDSA.
  • ✅ Ed25519: It’s the most recommended public-key algorithm available today!

Some Ed25519 Benefits

The Ed25519 was introduced on OpenSSH version 6.5. It’s the EdDSA implementation using the Twisted Edwards curve. It’s using elliptic curve cryptography that offers a better security with faster performance compared to DSA or ECDSA.

Generating Ed25519 Key

You can have multiple SSH keys on your machine. So you can keep your old SSH keys and generate a new one that uses Ed25519. This way you can still log in to any of your remote servers. Then slowly replace the authorized key on your remote servers one by one with the newly generated Ed25519 public-key.

Generate SSH key with Ed25519 key type
  • -o : Save the private-key using the new OpenSSH format rather than the PEM format. Actually, this option is implied when you specify the key type as ed25519.
  • -a: It’s the numbers of KDF (Key Derivation Function) rounds. Higher numbers result in slower passphrase verification, increasing the resistance to brute-force password cracking should the private-key be stolen.
  • -t: Specifies the type of key to create, in our case the Ed25519.
  • -f: Specify the filename of the generated key file. If you want it to be discovered automatically by the SSH agent, it must be stored in the default `.ssh` directory within your home directory.
  • -C: An option to specify a comment. It’s purely informational and can be anything. But it’s usually filled with <login>@<hostname> who generated the key.

Adding Your Key to SSH Agent

You can find your newly generated private key at ~/.ssh/id_ed25519 and your public key at ~/.ssh/ Always remember that your public key is the one that you copy to the target host for authentication.

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

🍏 Notes for macOS User

If you’re using macOS Sierra 10.12.2 or later, to load the keys automatically and store the passphrases in the Keychain, you need to configure your ~/.ssh/config file:

Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_rsa # Keep any old key files if you want
ssh-add -K ~/.ssh/id_ed25519

Specifying Specific Key to SSH into a Remote Server

The SSH protocol already allows the client to offer multiple keys on which the server will pick the one it needs for authentication. However, we can also specify a specific private-key to use like so:

ssh -i ~/.ssh/id_ed25519 john@
Host awesome
User john
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
ssh awesome



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store