5
What are the recommended arguments to ssh-keygen
for generating a secure ssh keypair these days? The default appears to be 2048 bit RSA, good enough?
I'm using OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
.
5
What are the recommended arguments to ssh-keygen
for generating a secure ssh keypair these days? The default appears to be 2048 bit RSA, good enough?
I'm using OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
.
2
The default 2048 bit RSA is considered safe until 2030. If that is good enough for you you can generate your keys with the following command:
ssh-keygen -f $HOME/.ssh/rsa_key_file_2048
If you require a key that is safe beyond 2030 a longer key is recommended (3072 bit should suffice). You can define the key size with the -b argument:
ssh-keygen -t rsa -b 3072 -f $HOME/.ssh/rsa_key_file_3072
The result of the commands are two files: the private key as defined by the -f argument, and the public key with the extension .pub.
1Does anyone have a citation for "considered safe until 2030"? – outofculture – 2016-01-29T21:05:04.383
@outofculture - The statement is no longer true. 2048-bit key itself is no longer longer consider completely safe, while it would take considerable resources, the industry is moving to larger keys. – Ramhound – 2016-01-29T21:27:52.130
Could you provide a source? – ofaurax – 2016-11-08T15:25:36.357
0
Here is a simple one,
ssh-keygen -t rsa -b 4096 -C youremail@domain.com
-t is the cryptographic algorithm
-b is the byte size of key (I won't recommend using 2048)
-C is comment. Please read below portion to understand significance of comment.
ssh-keygen will by default write keys in an OpenSSH-specific format. This format is preferred as it offers better protection for keys at rest as well as allowing storage of key comments within the private key file itself. The key comment may be useful to help identify the key. The comment is initialized to “user@host” when the key is created, but can be changed using the -c option.
This topic has been covered on Security StackExchange: https://security.stackexchange.com/questions/23383/ssh-key-type-rsa-dsa-ecdsa-are-there-easy-answers-for-which-to-choose-when
– ofaurax – 2016-11-08T15:27:34.923