How to Generate an ed25519 Key Pair for SSH Authentication

SSH keys are common alternative to using a username and password for authentication. This guide will show you how to generate an ed25519 key pair.

September 17, 2024 by Ben McNeill

bash devops

Introduction

Welcome to the lazy dev school tutorial on how to generate an ed25519 SSH key pair.

ed25519 is the name of the algorithm used to generate the key pair. There are a few alternatives to ed25519 but this is the most performant and secure type of keypair you can generate. Here are two highly credible sources recommending the use of ed25519 over RSA.

Prerequisites

Unix-like operating system (Linux, macOS, etc.) w/ terminal

Terminal emulator on Windows (for example Git Bash) OR Windows Subsystem for Linux (WSL) OR Windows Terminal

Verify you have an SSH client installed

Let’s do a quick sanity check to make sure you have an SSH client installed. If you don’t have an SSH client installed you will see an error message.

ssh -V

ssh is the command to connect to a remote server
-V is the flag to display the version of the SSH client

If you are running MacOS you likely already have the openssh-client installed.

After running that command you should see something like this in your terminal if an ssh client is installed.

usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
           [-c cipher_spec] [-D [bind_address:]port] [-E log_file]
           [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
           [-J destination] [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]
           [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
           destination [command [argument ...]]
       ssh [-Q query_option]

Install OpenSSH Client on Linux

If you are running Linux or MacOS you will need to install an ssh client if not already done so.

sudo apt install openssh-client

sudo is the superuser do command that lets you install system packages
apt is the package manager for Debian based systems like Ubuntu
install is the instruction we are giving to apt (alternatively you could instruct apt to remove or upgrade a package)
openssh-client is the package name to be installed

Installing OpenSSH Client on Windows

If you are running Windows you have a few options. I cover all of the options in a separate post. Go there if you need more information and then come back so we can continue with world domination.

Generate an SSH Key Pair

You have a few options for which algorithm you want to use.

Many legacy tutorials will tell you to use RSA. However, ED25519 is the recommended algorithm for most systems. ED25519 keys are known to be more secure and performant than RSA keys.

Here is the command to generate an ed25519 key pair.

If you do not specify -t, by default ssh-keygen will generate an ed25519 key pair according to the ssh-keygen man page

ssh-keygen -t ed25519 -C "your_email@example.com"

ssh-keygen is the command to generate an SSH key pair
-t lets you specify the algorithm you want to use in this case ed25519
-C "your_email@example.com" is an optional comment you can add to the key pair. This is typically your email address.

If you must use RSA it is best to use a 4096 bit key.

ssh-keygen -o -t rsa -b 4096 -C "your_email@example.com"

ssh-keygen is the command to generate an SSH key pair
-o outputs keypair in the openssh format instead of the traditional rfc4716 format
-t lets you specify the algorithm you want to use in this case rsa
-b lets you specify the bit length of the key in this case 4096
-C "your_email@example.com" is an optional comment you can add to the key pair. This is typically your email address.

After invoking ssh-keygen you will presented with a few prompts.

Storage Location For Keys

By default you are prompted to store keys in your ~/.ssh directory (on Windows it will be %USERPROFILE%\.ssh). In most cases you will want to keep the default location.

If you choose a different directory you will need to add a -i flag to your ssh command to specify the path to the key.

Passphrase

Passphrase is optional.

If you choose to use a passphrase you will need to enter it every time you use the key. If you do not enter a passphrase your key effectively allows passwordless authentication. If a passphrase is used make sure your password is secure.

Here is a simple python 3 script to generate a secure passphrase.

import string
import secrets

def generate_secure_password(length=12):
    # Define the characters to choose from
    characters = string.ascii_letters + string.digits + string.punctuation
    # Generate a secure random password
    password = ''.join(secrets.choice(characters) for _ in range(length))
    return password

# Generate a secure password of length 12
secure_password = generate_secure_password(12)
print("Generated secure password:", secure_password)

Next Steps

If you want to dive deeper into SSH keys here are some search terms ideas for further reading.

Adding the Key to SSH Agent
Copying the Public Key to a Remote Server
Create Voter Registration System Using SSH Signing Verification
Securing your Key
Key Management and Rotation