Default OpenSSH Key Algorithm Changes to Ed25519
The default security algorithm for OpenSSH keys is about to change from RSA to Ed25519! But don't worry, in most cases, everything will still work just fine.
Bottom line: your old generated RSA keys will continue to work just fine, and new Ed25519 will also work just fine on most servers you connect to!
Ed25519 vs RSA
The RSA algorithm has been used by default to generate OpenSSH keys for quite a long time, even though it might not necessarily be the best choice these days. While RSA has served its purpose very well for decades, it is not the most secure anymore and what's worse, it generates very long keys which can be a bit cumbersome to deal with.
Ed25519 on the other hand uses a newer algorithm invented around 2006, and available as an option in OpenSSH since 2014. It's purportedly a more secure algorithm (though I'm no expert), and the key lengths are much shorter as you can see in this picture:
Don't worry, this was just a test key which is already deleted. Do NOT use it.
How to Generate an SSH Key Pair
ssh-keygen in a terminal window and follow the prompts. If you don't pass any arguments,
it will use your operating system's defaults, which might still be
rsa -- it will say what algorithm
Warning: don't allow it to overwrite an existing key if you still need your old one. You can specify a new file name instead.
When it's finished, the filename you chose will be the private key, and a corresponding file of the same name
but with a
.pub key as the public portion of the key.
How to Generate an Ed25519 Key Pair
If when you run
ssh-keygen it says "generating rsa key pair" then you don't have the latest
OpenSSH version yet. That's alright, to force it to use Ed25519 simply run with the flags:
ssh-keygen -t ed25519
Ed25519 keys will work 99.9% of the time so you can go ahead and use them without worry. Only very old servers do not support Ed25519 keys. One notable exception to this is AWS EC2 instances, which didn't offer Ed25519 support until January 2022 for their EC2 Instance Connect and EC2 Serial Console features. But even before that, if you wanted to only SSH from your own terminal (on a local machine or a datacenter jump box) you could still use Ed25519 on AWS.
If, for some reason, you still need to generate
rsa keys, run this:
ssh -t rsa
This article, and all articles on this blog, were written without the use of any AI, GPT, or Language Learning Models. It's old fashioned I guess.