Update your SSH Keys to ed25519

Published on June 24th, 2019

Either you are a developer or administrator. Surely you use SSH keys to authenticate to different systems. It is much more secure than pure password authentication.

I recently discovered that many people still use their old DSA or RSA keys. The key pairs were generated years ago and have not been updated since. But here you should take care that security algorithms have changed and you would do well to update your keys.

Currently, the following algorithms are in circulation:

  • DSA: Uncertain and no longer supported
  • RSA: Probably the most commonly used. Probably most of you have only generated a default key with 1024bit (happens automatically if no explicit option is given).
  • ed25519: Current security standard

Advantages of ed25519

I don't want to go into the depths of the encryption, because most of you probably don't care. Nevertheless, ed25519 has some advantages:

  • Use the Twisted Edwards curve
  • 68 characters only; significantly shorter than conventional keys
  • Faster
  • Safer

What should I do with my old keys?

Many of you are now wondering if you can update existing DSA/RSA keys. The answer is quite simple: No. But that's not a problem.

Your system can manage and use multiple SSH keys. When I switched to ed25519 more than 3 years ago, I did it step by step. I kept my RSA key for the time being and generated a new ed25519 and used it from then on. I replaced the old RSA key bit by bit on the systems.

How do I generate the key?

Open your terminal and with the following command, you get new keys.

$ ssh-keygen -t ed25519 -C "your@mail.com"
  • -t specifies the type of the key, in our case ed25519
  • -C is just a comment, basically, your email address is used, but you can use anything you want

If you want to know which parameters are still available, you can consult the documentation. Interesting parameters may be -a and -f. That's it.

You can find your new key at ~/.ssh/id_ed25519 and your public key at ~/.ssh/id_ed25519.pub

SSH Configuration

Personally, I only adjusted my SSH configuration (Mac OS).

~/.ssh/config
Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa
  IdentityFile ~/.ssh/id_dsa
  IdentityFile ~/.ssh/id_ed25519

You can add as many IdentityFile entries as you want.

If you used a passphrase for your key pair when creating it, you have to make your keys known to the SSH agent. Make sure the SSH agent is running:

$ eval "$(ssh-agent -s)"

Then you can add your keys with

$ ssh-add -K ~/.ssh/id_ed25519

Note: The -K only applies to macOS devices. If an error occurs, simply omit this option. What about you? Do you already use ed25519? Let me know.

If you enjoy my articles or you like what I'am talking and twittering about, you should sign up. I will show you everything I know.
I send e-mails very irregularly. Your data is safe with me.