Generate Secure SSH Keys

As a software developer, you’re most likely using SSH keys. Doing system administration or pushing commits to your source control like GitHub or GitLab is considered to be a best practice doing it over SSH with public key authentication instead of passwords.

And because you’re doing both in this learning path (server administration and moving code to a source control repository) you should set up your SSH key first. If you already have an existing key, don’t skip immediately and read the next section first.

DSA and RSA 1024 Are Outdated!

Do you already have an SSH key? Alright, cool!

Time flies and SSH keys become outdated. If you generated your SSH key a long time ago, you may have a weak key and with that open insecure connection to the remote systems. You might be lucky that the remote system refuses DSA or RSA 1024 keys, but you can’t rely on that.

Check your SSH Keys

Verify the strength of your SSH keys using the following command. It expects your SSH keys to be located within the ~/.ssh folder. You should be able to execute the following command on Mac and Linux without any issues. On Windows, you might use the “Git Bash” to support the required keywords.

for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq  

The output may look like this:

4096 SHA256:0wGMlgS9ZM/bH0A0E1VTIOqw9eFt3RF5wOxb5hCAqgQ (RSA)  
4096 SHA256:qkyWBs354/tMXxryQnV9V2zVC6/7q6SsZW8Ycp/W15E Marcus@MXC-NB04 (RSA)  

Notice: this command searches for SSH keys where the filename starts with id_. If your keys don’t start with that prefix, adjust the command. For example, a key named github won’t be found with the command above.

Validate your output like this:

  • DSA or RSA 1024 bits: Unsafe! Definitely a red flag.
  • RSA 2048: yellow flag, you should update your keys
  • RSA 3072/4096: it’s fine. Ed25519 has some benefits!
  • ECDSA: You better change.
  • Ed25519: Safe lands. If you’re using this: you’re good to go.

On my machine, I’ve set up multiple keys. Running the command to verify all keys results in this:

$ for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq

256 SHA256:M1N2O3P4 marcuspoehls@macbook.local (ED25519)  
2048 SHA256:A/bcde (RSA)  
4096 SHA256:abcde marcuspoehls@macbook.local (RSA)  

Applying the metric from above, I need to keep an eye on the RSA key with 2048 bits. Midterm, it’s a lot safer to upgrade at least to RSA 4096 or better to Ed25519.

Please notice the first key with 256 bits. At first, you may think: hm, where to put it in the list of validation options, there’s no 256 bit? Here you have to check the key type at the end of the line: ED25519. The key type can be mapped and you’re absolutely safe with this key :)

If you’re using a DSA or RSA 1024 key, consider the upgrade! This learning path has the goal to securely self-host your Node.js applications in production. You want your application to be safe and need to start with your own machine first. The next section shows you how to generate a new and secure SSH key.

Generate Your SSH Key

During the generation of your new key pair, you’ll be asked for a passphrase. This passphrase is used to encrypt your private key. If you ever lose your private key, this should protect others from impersonating you due to a strong passphrase. Make sure you’re choosing a passphrase that’s not easy to brute-force.

The SSH key generator allows two options to resist the chance of brute-force passphrase cracking: use the new RSA key format and an up-to-date key derivation function that’s powered by bcrypt. Bcrypt is a password hashing function incorporating a salt (random string) to protect your actual password against brute-force attacks.

$ ssh-keygen -o -a 100 -t ed25519

Generating public/private ed25519 key pair.  
Enter file in which to save the key (/Users/marcuspoehls/.ssh/id_ed25519):  
Enter passphrase (empty for no passphrase):  
Enter same passphrase again:  
Your identification has been saved in id_ed25519.  
Your public key has been saved in  
The key fingerprint is:  
SHA256:Fu7uRe5tudi0 marcus@host  
The key's randomart image is:  
+--[ED25519 256]--+

When running ssh-keygen, apply the -o option for the new RFC4716 key format with bcrypt as a modern key derivation function. The -a <num> option specifies the number of rounds. With -t <name> you define the scheme for the key creation.

While generating your new key pair, you’re asked to provide a password. That’s the first chance for your password manager to show its strength. Benefit from an automatically generated password that you don’t need to remember.

Your newly generated SSH key pair is located in the presented directory. In my case, it’s /Users/marcuspoehls/.ssh/id_ed25519. Existing SSH keys are next to the new one in ~/.ssh.

Great, you’ve updated or created your up-to-date SSH key pair. Now your system is prepared to securely open and use remote connections to other systems using SSH.

Explore the Library

Find interesting tutorials and solutions for your problems.