Ed25519 Keys for SSH

A technical article detailing how I switched my SSH login on a remote Linux server to use Ed25519 keys.

screenshot of macOS terminal

I changed my SSH login to my remote Linux server to use Ed25519 keys. This is one of the few technical articles I wrote this year. Writing these articles helps me better understand the technologies I use.

Ed25519 is a widely used public-key signature algorithm based on elliptic curve cryptography (ECC). It was designed by Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The "ed" in its name stands for the Edwards curve, which is the elliptic curve used in the algorithm.

Ed25519 is designed to provide high security while maintaining excellent performance. It offers 128-bit security, which means it is resistant to known cryptographic attacks. The algorithm is specifically optimised for speed, making it efficient for various applications.

Ed25519 is based on the twisted Edwards curve called Curve25519, which Daniel J. Bernstein also developed. The choice of this curve offers several advantages, including resistance against certain types of side-channel attacks and efficient implementation across different platforms.

Ed25519 uses elliptic curve key pairs for signing and verification. Key generation involves selecting a random 256-bit secret scalar, which is used to compute the corresponding public key. The secret scalar should be generated using a cryptographically secure random number generator.

To create a signature using Ed25519, the signer uses their secret scalar and the message they want to sign. The algorithm applies a series of mathematical operations to produce a 64-byte signature. This signature can be verified using the corresponding public key.

Signature verification involves using the signer's public key, the received message, and the signature. The verification process applies a set of mathematical operations to confirm the authenticity and integrity of the message. If the verification is successful, the signature is valid, and the message hasn't been tampered with.

Ed25519 has gained significant adoption in various domains, including cryptography libraries, protocols, and applications. It is commonly used for secure communications, digital signatures, key exchange, and other cryptographic operations. Many popular libraries and frameworks, such as OpenSSL, libsodium, and GnuPG, support Ed25519.

Ed25519 offers advantages over older signature algorithms like RSA and DSA. It has shorter key lengths, making it more efficient in terms of computation and storage. Additionally, Ed25519 is resistant to many types of attacks, including those based on side-channel information leakage.

Ed25519 has been widely recognised as a reliable and secure signature algorithm and has found extensive use in various cryptographic applications due to its performance and security characteristics.

To generate an Ed25519 key pair on macOS for logging into my Linux server, I followed these steps:

  1. Open the Terminal application on macOS.
  2. The ssh-keygen command generates the Ed25519 key pair. In the Terminal, type the following command:ssh-keygen -t ed25519 -f linux_server_key
  3. This command generates a new Ed25519 key pair with the specified filename (linux_server_key in this example).
  4. You will be prompted to provide a passphrase for the key pair. I recommend entering a strong passphrase to protect your private key. Press Enter if you want to leave it empty (not recommended).
  5. Two files will be generated in the current directory: linux_server_key (private key) and linux_server_key.pub (public key).
  6. Copy the public key to your Linux server. I used the ssh-copy-id command to copy the public key to the server. In the Terminal, type the following command:ssh-copy-id -i linux_server_key.pub username@server_ip
  7. Replace username with your username on the Linux server and server_ip with the IP address or hostname of the Linux server. This command will copy the public key to the appropriate location on the server and enable key-based authentication.
  8. If the ssh-copy-id command is not available on your macOS, you can manually copy the contents of the linux_server_key.pub file and append it to the ~/.ssh/authorized_keys file on the Linux server.
  9. Once the public key is copied, you can use SSH to log in to the Linux server using your private key. In the Terminal, type the following command: ssh -i linux_server_key username@server_ip
  10. Replace username with your username on the Linux server and server_ip with the IP address or hostname of the Linux server. This command will use the specified private key for authentication when connecting to the server.
  11. If you set a passphrase for the private key, you will be prompted to enter it before establishing the SSH connection.

That's it! You have now generated an Ed25519 key pair on macOS and configured it to log into a Linux server using SSH.

Author:Khürt Williams

A human who works in information security and enjoys photography, Formula 1 and craft ale.

I want to hear from you. Leave a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Feel free to comment on this story directly above, but you can also go to links/summaries posted to social media, and reply to or comment on them there.

IndieWebCamp: To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Learn More)