SSH keys are more than just a password replacement; they’re a cryptographic handshake that lets machines talk securely without ever needing to type a password. The real magic is that you can generate different types of keys for different purposes, and understanding those differences is key to securing your digital life.
Let’s generate an ed25519 key pair first. This is generally preferred for its speed and strong security.
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -C "your_email@example.com"
Here’s what’s happening:
-t ed25519: This specifies the type of key to create, in this case,ed25519.-f ~/.ssh/id_ed25519: This sets the filename and path for the private key. The public key will automatically be namedid_ed25519.pubin the same directory.-C "your_email@example.com": This is a comment. It’s useful for identifying the key later, especially if you have many.
You’ll be prompted for a passphrase. This adds an extra layer of security; even if someone steals your private key, they can’t use it without the passphrase. Think of it as a password for your key.
Now, let’s generate an rsa key pair. While ed25519 is newer and often faster, rsa is still widely supported and useful for older systems. We’ll make it a strong one.
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "your_email@example.com"
The flags here are similar:
-t rsa: Specifies thersaalgorithm.-b 4096: Sets the key size in bits. For RSA, 4096 bits is currently considered very strong. Smaller sizes like 2048 are common but less secure.-f ~/.ssh/id_rsa: The filename for the private RSA key.id_rsa.pubwill be its public counterpart.-C "your_email@example.com": The same comment for identification.
Again, you’ll be prompted for a passphrase. It’s highly recommended to use one.
After running these commands, you’ll have two sets of files in your ~/.ssh/ directory:
id_ed25519(private) andid_ed25519.pub(public)id_rsa(private) andid_rsa.pub(public)
You’ll use the .pub files to grant access to servers, and keep the private files absolutely secret. To use a public key on a remote server, you’d typically copy its content into the ~/.ssh/authorized_keys file on that server.
The core difference between ed25519 and rsa lies in their underlying mathematical principles. ed25519 uses a curve-based cryptography (specifically, the Edwards-curve Digital Signature Algorithm) which allows for shorter keys that are computationally faster to generate and verify, while offering comparable or superior security to RSA. RSA relies on the difficulty of factoring large prime numbers. This means ed25519 keys are generally smaller, faster, and often considered more secure against future advances in computing that might weaken RSA’s underpinnings.
When you generate keys, the SSH client doesn’t automatically know which private key to use for which connection. It follows a specific order of preference: ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519, and ~/.ssh/id_dsa. If you want to ensure a specific key is used, or if you have multiple keys for different services, you can explicitly tell SSH which key to use with the -i flag: ssh -i ~/.ssh/my_specific_key user@host.
The next hurdle you’ll likely face is managing multiple keys across different servers and services, which often leads to using an SSH agent to avoid repeatedly typing your passphrase.