SSH Keys
Brief note about SSH key types and managing them.
Prerequisites
To use SSH, you need:
- The OpenSSH client, which comes pre-installed on GNU/Linux, macOS, and Windows 10.
- SSH version 6.5 or later. Earlier versions used an MD5 signature, which is not secure.
To view the version of SSH installed on your system, run ssh -V
.
SSH key types
You can use the following SSH key types:
-
ED25519 (Preferred)
The book Practical Cryptography With Go suggests that ED25519 keys are more secure and performant than RSA keys.
OpenSSH 6.5 introduced ED25519 SSH keys in 2014, and they should be available on most operating systems.
-
ED25519_SK
Must have OpenSSH 8.2 or later installed.
-
ECDSA_SK
Must have OpenSSH 8.2 or later installed.
-
RSA Available documentation suggests ED25519 is more secure than RSA.
If you use an RSA key, the US National Institute of Science and Technology in Publication 800-57 Part 3 (PDF) recommends a key size of at least 2048 bits. The default key size depends on your version of
ssh-keygen
. Review theman
page for your installedssh-keygen
command for details. -
DSA
-
ECDSA (As noted in Practical Cryptography With Go, the security issues related to DSA also apply to ECDSA)
Generate an SSH key pair
If you do not have an existing SSH key pair, generate a new one:
-
Open a terminal.
-
Run
ssh-keygen -t
followed by the key type and an optional comment. This comment is included in the ```.pub`` file that’s created.You may want to use an email address for the comment.
For example, for ED25519:
ssh-keygen -t ed25519 -C "<comment>"
For 2048-bit RSA:
ssh-keygen -t rsa -b 2048 -C "<comment>"
For ED25519_SK:
ssh-keygen -t ed25519-sk -C "<comment>"
For ECDSA_SK:
ssh-keygen -t ecdsa-sk -C "<comment>"
-
Press
Enter
. Output similar to the following is displayed:Generating public/private ed25519 key pair. Enter file in which to save the key (/home/user/.ssh/id_ed25519):
-
Accept the suggested filename and directory, unless you want to
save in a specific directory
where you store other keys. If it’s the latter, do the following:eval $(ssh-agent -s) ssh-add <directory to private SSH key>
You can also
dedicate the SSH key pair to a specific host
by saving these settings in the~/.ssh/config
file. For example:# GitLab.com Host gitlab.com PreferredAuthentications publickey IdentityFile ~/.ssh/gitlab_com_rsa # Private GitLab instance Host gitlab.company.com PreferredAuthentications publickey IdentityFile ~/.ssh/example_com_rsa
For more information on these settings, see the man ssh_config page in the SSH configuration manual.
-
Specify a passpharse:
Enter passphrase (empty for no passphrase): Enter same passphrase again:
A confirmation is displayed, including information about where your files are stored.
A public and private key are generated. The public key may be shared but keep the private key secure.
Update your SSH key passphrase
You can update the passphrase for your SSH key:
-
Open a terminal and run this command:
ssh-keygen -p -f /path/to/ssh_key
-
At the prompts, enter the passphrase and then press
Enter
.
Upgrade your RSA key pair to a more secure format
If your version of OpenSSH is between 6.5 and 7.8, you can save your private RSA SSH keys in a more secure OpenSSH format by opening a terminal and running this command:
ssh-keygen -o -f ~/.ssh/id_rsa
Alternatively, you can generate a new RSA key with the more secure encryption format with the following command:
ssh-keygen -o -t rsa -b 4096 -C "<comment>"
Generate an SSH key pair for a FIDO/U2F hardware security key
To generate ED25519_SK or ECDSA_SK SSH keys, you must use OpenSSH 8.2 or later:
-
Insert a hardware security key into your computer.
-
Open a terminal.
-
Run
ssh-keygen -t
followed by the key type and an optional comment. This comment is included in the.pub
file that’s created. You may want to use an email address for the comment.For example, for ED25519_SK:
ssh-keygen -t ed25519-sk -C "<comment>"
For ECDSA_SK:
ssh-keygen -t ecdsa-sk -C "<comment>"
If your security key supports FIDO2 resident keys, you can enable this when creating your SSH key:
ssh-keygen -t ed25519-sk -O resident -C "<comment>"
-O resident
indicates that the key should be stored on the FIDO authenticator itself. Resident key is easier to import to a new computer because it can be loaded directly from the security key by ssh-add -K or ssh-keygen -K. -
Press
Enter
. Output similar to the following is displayed:Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation.
-
Touch the button on the hardware security key.
-
Accept the suggested filename and directory:
Enter file in which to save the key (/home/user/.ssh/id_ed25519_sk):
-
Specify a passpharse:
Enter passphrase (empty for no passphrase): Enter same passphrase again:
A confirmation is displayed, including information about where your files are stored.
A public and private key are generated.