Create an SSH Keypair

March 25, 2026

ssh system-administration

Key Type Comparison

Modern OpenSSH supports several key types with different security and compatibility characteristics:

Ed25519 (Recommended)

  • Algorithm: EdDSA using Curve25519
  • Security: Excellent - resistant to timing attacks, smaller key size with equivalent security
  • Performance: Very fast key generation and signing
  • Support: OpenSSH 6.5+ (2014)
  • Key size: 256-bit (fixed)
  • Use when: You control both client and server, or server is relatively modern
ssh-keygen -t ed25519 -C "$USER@$HOSTNAME-$(date +'%Y-%m-%d')" -f ~/.ssh/id_ed25519

RSA

  • Algorithm: Rivest-Shamir-Adleman
  • Security: Good with 4096-bit keys, but considered legacy
  • Performance: Slower than Ed25519
  • Support: OpenSSH 2.0+ (universal compatibility)
  • Key size: 2048-bit minimum, 4096-bit recommended
  • Use when: Maximum compatibility needed with older systems
  • Note: OpenSSH 8.8+ (2021) disabled RSA SHA-1 signatures by default due to security concerns
ssh-keygen -t rsa -b 4096 -C "$USER@$HOSTNAME-$(date +'%Y-%m-%d')" -f ~/.ssh/id_rsa

ECDSA

  • Algorithm: Elliptic Curve Digital Signature Algorithm
  • Security: Good, but concerns about NIST curve selection
  • Support: OpenSSH 5.7+ (2011)
  • Key size: 256, 384, or 521-bit
  • Use when: Ed25519 not available but you want smaller keys than RSA
  • Note: Generally prefer Ed25519 over ECDSA when both are available
ssh-keygen -t ecdsa -b 521 -C "$USER@$HOSTNAME-$(date +'%Y-%m-%d')" -f ~/.ssh/id_ecdsa

Creating an RSA Keypair

One piece of hardening sshd is supporting key-based logins. I like to include the hostname and the date of creation in the key comment.

ssh-keygen -t rsa -b 4096 -C "$USER@$HOSTNAME-$(date +'%Y-%m-%d')" -f ~/.ssh/id_rsa

You will be prompted for a password. I highly encourage you to protect your key with a password. We can make the key easier to use in an upcoming step.

By default the keys will be located in ~/.ssh. You will notice two keys. The first is your private key: id_rsa and the second is your public key id_rsa.pub.

You can now use ssh-copy-id or manually by adding the key to the remote servers' ~/.ssh/authorized_keys file. The ssh client will automatically use the id_rsa key if it is available. If it needs to be unlocked, you will be prompted for a password.

Recommendation

For new deployments, use Ed25519 unless you need compatibility with systems older than 2014. For maximum compatibility with legacy systems, use RSA 4096-bit keys.