Linux Security

Generate an Ed25519 SSH key on Linux

Better than old RSA keys for new Linux servers and Git access.

10 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

Warning

Protect private keys with a passphrase and filesystem permissions (chmod 600). Never copy private keys to servers — only the public key belongs in authorized_keys.

What you will achieve

Create a modern Ed25519 SSH key pair on Linux, install the public key on a remote server, and verify key-based login — the default recommendation over legacy 2048-bit RSA for new deployments.

1) Generate Ed25519 key

ssh-keygen -t ed25519 -C "admin@workstation" -f ~/.ssh/id_ed25519

Press Enter for a strong passphrase when prompted. Ed25519 keys are short, fast, and resistant to common attacks. Use -a 100 for KDF rounds if your OpenSSH version supports it for extra passphrase protection.

2) Start ssh-agent and add key

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

On desktop Ubuntu, GNOME Keyring often handles this automatically after login.

3) Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server.example.com

Manual alternative if ssh-copy-id is unavailable:

cat ~/.ssh/id_ed25519.pub | ssh user@server.example.com \
  'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'

4) Test login

ssh -i ~/.ssh/id_ed25519 user@server.example.com

Configure ~/.ssh/config for convenience:

Host myserver
    HostName server.example.com
    User admin
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes

5) Server-side permissions matter

On the server, home must not be group-writable; .ssh must be 700 and authorized_keys 600. sshd rejects keys when permissions are loose.

# On server:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

6) Ed25519 vs RSA today

OpenSSH 8.2+ supports Ed25519 everywhere that matters. Use RSA 4096 only when connecting to ancient appliances that reject Ed25519. GitHub, GitLab, and modern Linux distros accept Ed25519.

7) Rotate compromised keys

Generate a new key pair, deploy the new public key to all servers, verify login, then remove the old public key from authorized_keys on each host. Never reuse a private key you suspect was exposed — rotation beats forensic regret.

Prerequisites

OpenSSH client and server packages installed. For Git hosting, add the public key in the web UI under SSH keys — same id_ed25519.pub content as on servers.

Verify

ssh-keygen -lf ~/.ssh/id_ed25519.pub
ssh -v myserver 2>&1 | grep "Offering public key"

Fingerprint should match what you added to the server. Verbose output should show publickey authentication succeeding.

Related guides

ed25519 keygen ssh

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Security
SSH key-based authentication on Linux
Replace password-only SSH with keys — generate, install, test, then harden once you know you will not lock yourself out.
Read guide
Security
Harden SSH server on Linux
Lock down SSH without locking yourself out — test every change in a second session.
Read guide