Generate SSH keys

tested on OpenBSD 6.3 and macOS 10.13

Generate a strong passphrase to protect your private key. For example, with diceware.

Run ssh-keygen(1) to create a SSH key pair and enter that passphrase:

$ ssh-keygen -t ed25519 -a 100
Enter file in which to save the key
(/home/username/.ssh/id_ed25519):
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/id_ed25519.
Your public key has been saved in ~/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx comment
The key's randomart image is:
+--[ED25519 256]--+
|       .o=@*=    |
|        oX = .=  |
|        * o +    |
|       = o =     |
|        S o +    |
|       * + o     |
|      = X.o.=    |
|       O =+o     |
|      . E++++    |
+----[SHA256]-----+
$

Option -t ed25519 specifies the type of the key.
Option -a 100 specifies the number of key derivation function rounds used (higher the number—better protection against brute-force cracking).

RSA fallback

If Ed25519 isn’t yet supported by your operating systems, use long RSA keys as a fallback.

$ ssh-keygen -t rsa -b 4096 -o -a 100
Enter file in which to save the key
(/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/id_rsa.
Your public key has been saved in ~/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx comment
The key's randomart image is:
+---[RSA 2048]----+
|  .ooo ...ooo    |
|  ..o.+  .o+  E  |
|.o.o.o = . o     |
|.Boo= + +        |
|+ Bo . =S        |
| o . ...+. o     |
|    . o  ++      |
|     o o .o      |
|      + ..*      |
+----[SHA256]-----+
$

Option -o enables the new OpenSSH format to increase resistance to brute-force cracking.

Do not share private keys

Don’t copy or share your private key. Generate a new key pair for every user and every device. Use the same key pair for multiple destinations.

Use SSH configuration

Add all your frequently used hosts to ~/.ssh/config, like this:

Host remote_host
  User username_on_remote_host
  Hostname www.example.com
  IdentityFile /home/username/.ssh/id_ed25519

After adding this to your SSH configuration you can run:

# ssh www

instead of:

$ ssh -i ~/.ssh/id_ed25519 username_on_remote_host@www.example.com