Quick Note on SSH Key Best Practices

Hey there, this is just a little reminder for myself about generating SSH keys using ssh-keygen. If it helps you too, that’s awesome! 🛡️

Key Types and Security

  1. Ed25519 over RSA: I’ve found that Ed25519 offers a nice balance of strong security and much shorter key lengths.

    ssh-keygen -t ed25519 -a 100
  2. Fallback to RSA: On older systems, Ed25519 isn’t always supported. If needed, I use RSA with a key length of 4096 bits.

    ssh-keygen -t rsa -b 4096 -a 100

Naming Convention: Keeping Things Organized

Naming keys can get tricky, especially with multiple keys. Here’s what’s been working for me:

  • Hostname or Domain-based: e.g., laptop_example_com_ed25519
  • Purpose-based: e.g., github_ed25519
  • Role-based: e.g., admin_ed25519
  • Date of Creation: e.g., id_ed25519_2023_07
  • Mix and Match: e.g., laptop_github_admin_ed25519_2023_07

One Key Per Device

It’s a good habit to use separate SSH keys per device. Here’s why:

  • Security Isolation: If one device is compromised, only the key from that device is at risk. You won’t have to replace keys on all your devices, just the affected one.

  • Easy Revocation: If you lose a device or it gets stolen, you can easily revoke access for that specific key without disrupting your workflow on other devices.

  • Auditing and Logging: Different keys for different devices make it simpler to track activities. If there’s any unauthorized access, logs will show which device’s key was used, helping pinpoint potential security issues.

Additional Tips

  • -C Option for Comments: I find it useful to add a comment when generating the key. It serves as a little reminder of where and why I created it.

    ssh-keygen -t ed25519 -a 100 -C "guillaume@laptop.example.com 202307"
  • Keep Private Keys Safe: Remember, always keep those private keys secure. Use strong passphrases and check permissions!

Putting It All Together

When I need to generate a new key, this is the command I run:

ssh-keygen -t ed25519 -a 100 -C "guillaume@laptop.example.com 202307"

And, when prompted, I save it as:


That’s it for now. Just a note for future me. If you’re reading this, hope you found it helpful too!