Demystifying SSH Key Types: From RSA to Ed25519

Secure Shell (SSH) is the backbone of secure remote access—but with so many key algorithms to choose from, which one should you use? Let’s walk through the history, the trade‑offs, and the modern sweet spot for most users.

Why SSH Keys Matter Today

You’ve probably typed ssh user@server dozens of times—but do you know what’s happening under the hood? SSH key algorithms aren’t just academic: they determine how fast your connections are, how resilient they are to future attacks (think quantum!), and even whether your CI pipeline can talk to GitHub without a hitch.

In this guide you’ll learn:

• Why asymmetric crypto is critical in SSH
• The pros and cons of RSA, DSA, ECDSA, and Ed25519
• Pro tips for choosing and generating keys on Linux/macOS

SSH Asymmetric Encryption in a Nutshell

• Authentication & Key ExchangeSSH uses your public/private key pair to sign a random challenge—no shared passwords flying over the wire.
• Session EncryptionOnce you’re in, SSH negotiates a fast symmetric cipher (AES, ChaCha20) for the bulk of data.

Pro tip: Always use SSH‑2 (the only supported protocol since 1998) and disable weak ciphers in your sshd_config.

Handy OpenSSH Flags

ssh-keygen -o -a 100 -b <bits> -t <type> -C "[email protected]"

• -o : bcrypt‑protected private key format
• -a 100 : increase passphrase KDF rounds on fast machines
• -b <bits> : key size (ignored for Ed25519)
• -C "<comment>" : annotation in authorized_keys

RSA: The Classic Workhorse

Overview: “Rivest–Shamir–Adleman” relies on factoring large n = p · q. Still everywhere thanks to legacy systems.

When to use it:

• Compatibility with old devices or strict compliance regimes
• When you need a familiar backup plan

Generate a 4096‑bit key:

ssh-keygen -t rsa -b 4096 -o -a 100 -C "[email protected]"

How it works:

1. Pick two large primes p and q.
2. Compute n = p · q and phi(n) = (p - 1) · (q - 1).
3. Choose e, compute d as e · d ≡ 1 (mod phi(n)).
4. Encrypt with c = m^e mod n; decrypt with m = c^d mod n.

Security:

• Current margin: 3072 + bit keys are safe today.
• Future threat: Quantum computers could run Shor’s algorithm and break it.

DSA: The Legacy Signature

Overview: Digital Signature Algorithm (ssh-dss) is an older NIST standard locked to 1024 bits and SHA‑1—disabled by default in OpenSSH ≥ 7.0.

When to use it:

• Only if you absolutely must connect to pre‑2010 appliances

Why it’s weak:

• 1024 bits → ~80 bits security
• SHA‑1 → collision risks
• Nonce reuse → private key leaks

ECDSA: Curve‑Based Alternative

Overview: ECDSA uses NIST curves (P‑256/384/521) to offer RSA‑like security with smaller keys.

When to use it:

• FIPS‑compliant environments
• You want smaller keys and faster ops than RSA

Generate P‑256 key:

ssh-keygen -t ecdsa -b 256 -o -a 100 -C "[email protected]"

Snapshot:

• Key size: 256 bits → ~128 bits security
• Signature: ~70 – 100 bytes
• Caveat: Each signature needs a fresh random k—poor RNG = total compromise.

Ed25519: The Modern Default

Overview: Ed25519 (EdDSA on Curve25519) is fast, secure, and simple. Default in OpenSSH since v9.4.

When to use it:

• Almost always—modern servers, Git hosts, CI, hardware tokens

Generate your key:

ssh-keygen -t ed25519 -a 100 -C "[email protected]"

How it works (high‑level):

1. Derive a 256‑bit scalar from your seed (SHA-512 + clamp).
2. Sign with a deterministic nonce (no RNG headaches).
3. Verify with a single point‑mul and addition.

Security & Performance:

• ~128 bits classical security
• Constant‑time ladder → side‑channel resistance
• 32 byte keys, 64 byte signatures

TL;DR & Next Steps

• Most users: Go with Ed25519—easy, fast, and future‑proof (until quantum arrives).
• Legacy: RSA 4096 bits if you need compatibility; avoid DSA altogether.
• Compliance: ECDSA (P‑256/P‑384) in FIPS environments.

Action Item:

rm ~/.ssh/id_{rsa,ecdsa}*
ssh-keygen -t ed25519 -a 100 -C "new-key@$(hostname)"

For more detailed SSH notes, visit my GitHub.