Which SSH key type should I use?

Ed25519 is recommended for all new SSH keys. It's faster than RSA, produces smaller keys (68 chars vs 400+), and uses a modern elliptic curve (Curve25519) with no known weaknesses. Use RSA-4096 only if you need compatibility with very old systems.

Is ECDSA safe for SSH?

ECDSA with NIST curves (P-256, P-384) is secure but has implementation risks — a biased random number during signing can leak the private key. Ed25519 avoids this by design. If your systems support Ed25519, prefer it over ECDSA.

SSH Key Types Explained: Ed25519 vs RSA vs ECDSA

Running ssh-keygen asks you to choose a key type. For most of its history, the default was RSA. In 2013 that changed with the introduction of Ed25519, a significantly better algorithm that's now available on any Linux server running OpenSSH 6.5 or newer — meaning essentially everything.

Here's what each type actually means and which one to use.

The Four SSH Key Types

OpenSSH supports four key types: RSA, DSA, ECDSA, and Ed25519.

DSA is dead. OpenSSH removed support for DSA host keys in OpenSSH 7.0 (2015). DSA is limited to 1024-bit keys and is not considered secure. Skip it entirely.

That leaves three types worth discussing.

RSA

RSA is the oldest and most widely supported algorithm. Every SSH implementation that has ever existed supports RSA. The security of RSA depends on key size:

1024-bit RSA: insecure, do not use
2048-bit RSA: minimum acceptable, but aging
4096-bit RSA: safe for long-term use, slower to generate and use

RSA key generation is slow because it requires finding large prime numbers. Generating a 4096-bit RSA key can take a few seconds even on modern hardware. Signing with RSA is also slower than elliptic curve alternatives.

Use RSA when: you need to authenticate to an old system that doesn't support Ed25519 or ECDSA — legacy routers, embedded systems, very old Unix servers.

ECDSA

ECDSA uses the same elliptic curves as EC keys in TLS and JWT: P-256, P-384, or P-521 (called nistp256, nistp384, nistp521 in OpenSSH). ECDSA keys are much smaller and faster than RSA keys at equivalent security.

The problem with ECDSA for SSH specifically is the same one that affects ECDSA everywhere: it requires a cryptographically random nonce per signature. If that nonce is predictable or reused, the private key can be recovered. In practice, a broken random number generator — for example in an embedded device with low entropy at boot — can fatally compromise ECDSA.

Sony's PlayStation 3 was broken this way. In constrained environments (IoT devices, containers, VMs immediately after provisioning), ECDSA carries more risk than Ed25519.

Use ECDSA when: you need elliptic curve performance but the target system doesn't yet support Ed25519. On modern servers, prefer Ed25519 instead.

Ed25519

Ed25519 is an Edwards-curve Digital Signature Algorithm using Curve25519, designed by Daniel J. Bernstein and introduced to OpenSSH in 2014. It's now the recommended default for new SSH keys.

Key properties:

Deterministic signatures: Ed25519 doesn't use a random nonce per signature. The nonce is derived from the private key and message using a hash function. This eliminates the class of vulnerabilities that broke ECDSA on low-entropy systems. You get the same signature every time for the same input.

Fixed key size: Ed25519 keys are always 256 bits. There's no choice to make — the security level is fixed at approximately 128 bits, which is more than sufficient.

Fast: Ed25519 is substantially faster than RSA for both key generation and signing. An Ed25519 key generates in milliseconds. RSA-4096 can take several seconds.

Small: An Ed25519 public key is 68 bytes in OpenSSH format. An RSA-4096 public key is about 715 bytes. When you're managing hundreds of authorized_keys entries, this adds up.

Widely supported: Any system running OpenSSH 6.5+ (released in 2014) supports Ed25519. This covers all major Linux distributions in active use, macOS 10.14+, and Windows 10 1809+.

Key Comparison

	Ed25519	ECDSA (P-256)	RSA-4096
Security bits	~128	~128	~140
Key generation	~1ms	~1ms	2–10s
Private key size	64 bytes	121 bytes	~3.2 KB
Public key size	32 bytes	65 bytes	~512 bytes
Deterministic	✓	✗	✓
OpenSSH support	6.5+ (2014)	5.7+ (2011)	All versions
Compatibility	Modern systems	Most systems	Universal

Compare SSH key types — size, generation speed, and compatibility

Private key size64 bytes

Public key size32 bytes

Key generation time~1ms

~128

Security bits

✓ Yes

Deterministic

✓ Yes

Recommended

✓ Best choice for all new keys — fast, small, and provably secure

OpenSSH 6.5+ (2014) — Modern systems

Which One to Use

For all new keys on modern systems: Ed25519. No debate needed. It's faster, smaller, and safer than ECDSA, and more performant than RSA at similar security levels.

ssh-keygen -t ed25519 -C "your-email@example.com"

For systems that don't support Ed25519: RSA-4096.

ssh-keygen -t rsa -b 4096 -C "your-email@example.com"

Never use DSA. Avoid RSA-2048 for new keys. RSA-2048 will be sufficient through approximately 2030 per NIST guidance, but if you're generating a new key today there's no reason not to use 4096-bit.

Passphrase Protection

Regardless of key type, protect your private key with a strong passphrase. If an attacker gets your private key file without a passphrase, they have immediate access to every server that trusts that key.

Modern SSH agents (ssh-agent, 1Password SSH agent, macOS Keychain) cache the decrypted key in memory after you enter the passphrase once per session, so the passphrase doesn't slow down your daily workflow.

The authorized_keys File

When you deploy a public key to a server, it gets appended to ~/.ssh/authorized_keys. The format is:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... comment

An Ed25519 public key here is about 80 characters. An RSA-4096 public key is about 720 characters. When a server has many authorized keys, this matters for readability and parsing time (though the performance difference is negligible in practice).

Rotating Old Keys

If you have existing RSA-2048 or ECDSA keys in production, there's no urgency to rotate them — they're not broken. But the next time you're setting up a new server or client, switch to Ed25519. Keep a migration list of systems where you replace old keys over time.

For automation and CI/CD pipelines specifically, Ed25519's deterministic signatures and small key size make it particularly well-suited: keys are faster to generate in ephemeral environments, and there's no entropy risk on freshly-created VMs.

Using SSH Keys Programmatically

If you're building deployment automation, CI/CD pipelines, or server management tools, you'll often need to generate SSH keys or connect via SSH from code — not just the command line. The libraries below handle Ed25519 key generation and authenticated SSH sessions across all major languages.

import { Client } from "ssh2";           // npm install ssh2
import { generateKeyPairSync } from "crypto";

// Generate an Ed25519 key pair
const { privateKey, publicKey } = generateKeyPairSync("ed25519", {
privateKeyEncoding: { type: "pkcs8", format: "pem" },
publicKeyEncoding:  { type: "spki",  format: "pem" },
});

console.log(privateKey); // -----BEGIN PRIVATE KEY-----  ...
console.log(publicKey);  // -----BEGIN PUBLIC KEY-----   ...

// Connect to a remote server using the private key
const conn = new Client();
conn
.on("ready", () => {
  console.log("SSH session established");
  conn.exec("uptime", (err, stream) => {
    stream.on("data", (data) => console.log(data.toString()));
    stream.on("close", () => conn.end());
  });
})
.connect({
  host:       "your-server.example.com",
  port:       22,
  username:   "deploy",
  privateKey: privateKey,
});

Generate Ed25519 and RSA SSH key pairs in your browser with the SSH Key Generator — no OpenSSH installation required.