🚀 Depnix is currently in private beta. Request early access today!
Depnix
Mastering SSH Keys: RSA vs. ED25519 and Best Practices for Secure Access

Mastering SSH Keys: RSA vs. ED25519 and Best Practices for Secure Access

Arafat IslamArafat Islam
April 25, 2026
5 min read

Introduction

In the world of DevOps and cloud infrastructure, Secure Shell (SSH) is the umbilical cord connecting developers to their remote servers. While most of us are familiar with the basic ssh user@ip command, the underlying mechanism—the SSH key—is often misunderstood. As security standards evolve, the choice between different encryption algorithms like RSA and ED25519 becomes critical. In this guide, we will break down the differences between these algorithms, show you how to generate them, and share tips to keep your keys secure on Depnix and beyond.

What Are SSH Keys?

SSH keys are a pair of cryptographic keys used for authenticating a user to a remote server. This pair consists of a public key (which you share with the world or upload to your server) and a private key (which you keep secret on your local machine). Unlike passwords, SSH keys are virtually impossible to brute-force, providing a much higher level of security for your virtual machines.

RSA: The Industry Veteran

RSA (Rivest-Shamir-Adleman) is one of the oldest and most widely supported asymmetric encryption algorithms. For decades, it has been the default choice for SSH keys.

The Technical Details

  • Mechanism: RSA relies on the mathematical difficulty of factoring large prime numbers.
  • Key Length: To remain secure today, RSA keys must be at least 2048 bits. However, 4096 bits is the recommended standard for modern applications.
  • Compatibility: Almost every legacy system and SSH client supports RSA.

The Catch: As computing power increases, RSA keys need to become longer to stay secure. Longer keys mean slower encryption/decryption processes. Furthermore, recent versions of OpenSSH (8.8+) have begun deprecating the use of RSA with the SHA-1 hash due to known vulnerabilities, though RSA with SHA-256 remains secure.

ED25519: The Modern Standard

ED25519 is an implementation of EdDSA (Edwards-curve Digital Signature Algorithm). It is widely considered the gold standard for SSH keys in modern environments.

The Technical Details

  • Mechanism: It uses Elliptic Curve Cryptography (ECC), which provides better security with much smaller key sizes.
  • Speed and Efficiency: ED25519 is significantly faster to generate and verify than RSA. It is also designed to be resistant to side-channel attacks.
  • Key Size: An ED25519 public key is only about 68 characters long, compared to the massive blocks of text required for a 4096-bit RSA key.

The Verdict: Unless you are working with extremely old legacy systems (pre-2014), you should use ED25519 for all your SSH needs.

How to Generate SSH Keys

Generating keys is straightforward using the ssh-keygen tool available on Linux, macOS, and Windows (via PowerShell or WSL).

Generating an ED25519 Key (Recommended)

Run the following command in your terminal:

ssh-keygen -t ed25519 -C "your_email@example.com"
  • -t ed25519: Specifies the algorithm.
  • -C: Adds a comment (usually your email) to help identify the key.

Generating an RSA Key (Legacy Support)

If you must use RSA, ensure you specify a sufficient bit length:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
  • -b 4096: Forces the key to be 4096 bits instead of the default 2048 or 3072.

During generation, you will be prompted to choose a file location (the default ~/.ssh/id_ed25519 is usually best) and a passphrase.

Pro-Tips for Keeping Your Keys Secure

Generating a strong key is only half the battle. You must manage them correctly to prevent unauthorized access.

1. Always Use a Passphrase

When generating a key, ssh-keygen asks for a passphrase. Do not leave this blank. A passphrase encrypts your private key on your local disk. If your laptop is stolen, the thief cannot use your SSH keys without knowing the passphrase. Use an SSH agent (ssh-add) so you only have to type the passphrase once per session.

2. Limit Key Permissions

Your SSH directory and keys must have strict permissions. If they are too open, SSH will refuse to use them.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519

3. Disable Password Authentication

Once you have verified that your SSH key works, disable password-based logins on your server. This eliminates the risk of brute-force attacks. In /etc/ssh/sshd_config, set:

PasswordAuthentication no
PubkeyAuthentication yes

4. Use a Config File

Managing multiple keys for different servers (e.g., GitHub, Depnix, and production servers) can be messy. Use the ~/.ssh/config file to map keys to hosts:

Host my-depnix-server
    HostName 1.2.3.4
    User deploy
    IdentityFile ~/.ssh/id_ed25519_depnix

Now you can simply run ssh my-depnix-server.

Conclusion

SSH keys are the foundation of secure server management. While RSA has served the industry well, ED25519 offers superior security and performance for modern workflows. By choosing the right algorithm and following security best practices like using passphrases and disabling password logins, you can ensure your infrastructure on Depnix remains a fortress.

Ready to deploy? Head over to your Depnix dashboard and add your new ED25519 key to your project today!",

sshsecuritydevopsserver administrationencryption