How to Generate an ed25519 Key Pair for SSH Authentication
SSH keys are common alternative to using a username and password for authentication. This guide will show you how to generate an ed25519 key pair.
Introduction
Welcome to the lazy dev school tutorial on how to generate an ed25519 SSH key pair.
ed25519 is the name of the algorithm used to generate the key pair. There are a few alternatives to ed25519 but this is the most performant and secure type of keypair you can generate. Here are two highly credible sources recommending the use of ed25519 over RSA.
Prerequisites
- Unix-like operating system (Linux, macOS, etc.) w/ terminal
OR
- Terminal emulator on Windows (for example Git Bash) OR Windows Subsystem for Linux (WSL) OR Windows Terminal
Verify you have an SSH client installed
Let’s do a quick sanity check to make sure you have an SSH client installed. If you don’t have an SSH client installed you will see an error message.
ssh -V
ssh
is the command to connect to a remote server-V
is the flag to display the version of the SSH client
If you are running MacOS you likely already have the openssh-client installed.
After running that command you should see something like this in your terminal if an ssh client is installed.
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
[-c cipher_spec] [-D [bind_address:]port] [-E log_file]
[-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
[-J destination] [-L address] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
destination [command [argument ...]]
ssh [-Q query_option]
Install OpenSSH Client on Linux
If you are running Linux or MacOS you will need to install an ssh client if not already done so.
sudo apt install openssh-client
sudo
is the superuser do command that lets you install system packagesapt
is the package manager for Debian based systems like Ubuntuinstall
is the instruction we are giving toapt
(alternatively you could instructapt
toremove
orupgrade
a package)openssh-client
is the package name to be installed
Installing OpenSSH Client on Windows
If you are running Windows you have a few options. I cover all of the options in a separate post. Go there if you need more information and then come back so we can continue with world domination.
Generate an SSH Key Pair
You have a few options for which algorithm you want to use.
Many legacy tutorials will tell you to use RSA. However, ED25519 is the recommended algorithm for most systems. ED25519 keys are known to be more secure and performant than RSA keys.
Here is the command to generate an ed25519 key pair.
If you do not specify -t
, by default ssh-keygen
will generate an ed25519 key pair according to the ssh-keygen man page
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-keygen
is the command to generate an SSH key pair-t
lets you specify the algorithm you want to use in this caseed25519
-C "your_email@example.com"
is an optional comment you can add to the key pair. This is typically your email address.
If you must use RSA it is best to use a 4096 bit key.
ssh-keygen -o -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen
is the command to generate an SSH key pair-o
outputs keypair in theopenssh
format instead of the traditionalrfc4716
format-t
lets you specify the algorithm you want to use in this casersa
-b
lets you specify the bit length of the key in this case4096
-C "your_email@example.com"
is an optional comment you can add to the key pair. This is typically your email address.
After invoking ssh-keygen
you will presented with a few prompts.
Storage Location For Keys
By default you are prompted to store keys in your ~/.ssh
directory (on Windows it will be %USERPROFILE%\.ssh
). In most cases you will want to keep the default location.
If you choose a different directory you will need to add a -i
flag to your ssh
command to specify the path to the key.
Passphrase
Passphrase is optional.
If you choose to use a passphrase you will need to enter it every time you use the key. If you do not enter a passphrase your key effectively allows passwordless authentication. If a passphrase is used make sure your password is secure.
Here is a simple python 3 script to generate a secure passphrase.
import string
import secrets
def generate_secure_password(length=12):
# Define the characters to choose from
characters = string.ascii_letters + string.digits + string.punctuation
# Generate a secure random password
password = ''.join(secrets.choice(characters) for _ in range(length))
return password
# Generate a secure password of length 12
secure_password = generate_secure_password(12)
print("Generated secure password:", secure_password)
Next Steps
If you want to dive deeper into SSH keys here are some search terms ideas for further reading.
- Adding the Key to SSH Agent
- Copying the Public Key to a Remote Server
- Create Voter Registration System Using SSH Signing Verification
- Securing your Key
- Key Management and Rotation