Secure and private online communication mainly relies on effective and fast data encryption and decryption. There are two general types of encryption in use: symmetric and asymmetric. In symmetric encryption, both sides share the same key, in asymmetric encryption each has their own key for encrypting and for decryption data. One of the most well-known online protocols using asymmetric encryption is SSL, used by the remote shell service SSH (Secure SHell). In this article, I will show you how you can generate your own SSH keys locally, and explain how they work.
What is Asymmetric Encryption
Asymmetric encryption has become a fundamental technology in securing internet communications, including protocols like HTTPS, SSH, and SSL/TLS. It uses a pair of mathematically related keys (public and private). The public key encrypts data, and only the corresponding private key can decrypt it. Conversely, the private key can create a digital signature that can be verified by anyone with the public key, ensuring the integrity and origin of the message.
Asymmetric encryption was conceptualized by Whitfield Diffie and Martin Hellman in 1976 (Diffie-Hellman key exchange). RSA, one of the first public-key algorithms, was introduced by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. Over time, more efficient algorithms like ECC (Elliptic Curve Cryptography) were developed, providing the same level of security with smaller key sizes.
Public Keys vs. Private Keys
Above shows the interaction between the data to transmit, and the different keys owned by the sender and receiver. Public keys are what their name suggests: Public. For many services, key servers exist that provide the public keys for e.g., email addresses. OpenPGP maintains such servers, providing public keys for recipients you want to send encrypted emails to.
Private keys on the other hand, should be treated with the utmost care. They are used for signing messages, which attests that the data was verified or sent by the key owner. They are also used for decrypting data encrypted with the respective public key from the same pair. Many private key mechanisms allow to set a passphrase. This is a password adding an extra layer of protection to the key. So even when a malicious actor gets access to your key files, they can’t use them just like that.
Cryptographically, public keys usually are derived from private keys. That means that the private key is the first element created in a pair. Then, through irreversable mathematical transformations, the public key is derived. This by the way is the same mechanism that Bitcoin and other cryptocurrencies use for key generation.
Understanding the Key Algorithms
Understanding the algorithms used for key generation and derivation is essential to generate good keys. Keys are deemed “good” when they are cryptographically strong. In some cases, this also means that they should be short, while not compromising security. Below’s list shows three major key algorithms available for SSH key generation.
RSA (Rivest–Shamir–Adleman)
RSA is a widely used public-key encryption algorithm that relies on the computational difficulty of factoring large integers.
Recommended key size: 2048 or 4096 bits.
ECDSA (Elliptic Curve Digital Signature Algorithm)
ECDSA uses the mathematics of elliptic curves to provide security equivalent to RSA but with shorter key lengths. Faster and requires less computational power, suitable for mobile devices.
Common sizes: 256, 384, or 521 bits.
Ed25519
Ed25519 is a specific instance of the Edwards-curve Digital Signature Algorithm (EdDSA). It offers high security with high performance and smaller key sizes (256 bits).
Highly recommended for new applications.
Generating Your Keys
Generate your own SSH keys locally is relatively simple. Assuming you have the ssh-keygen command available on your system (which should be the case on most Linux and macOS devices), it is a one line command.
Creating SSH Keys on Linux
In Linux, run the below command line. Replace your_email@example.com with your email address, or anything else. The “-C” argument stands for “Comment” and helps distinguish different keys. You can also leave this empty.
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
The generated key files are by default located in ~/.ssh and are called id_rsa and id_rsa.pub. These names may vary if you chose non-default settings during key generation. After you successfully created your keys, you may want to add them to the ssh-agent environment so you don’t have to type the passphrase every time you want to use them (if you set one):
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa
Congratulations, you now generated your own SSH keys on Linux locally.
Creating SSH Keys on macOS
The process on macOS is very similar to Linux. The key generation itself follows the exact same command when the same arguments:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
For the ssh-agent environment, you need to provide an extra “-K” argument. Besides that, everything acts just as above.
eval "$(ssh-agent -s)"
ssh-add -K ~/.ssh/id_rsa
Your keys on macOS behave the same way as on Linux. You are now fully equipped for secure SSH connections to SSH server processes.
Conclusion
In this article, you learned how to generate your own SSH keys locally. You dived into the technical background and are now better equipped to manage your own online security and privacy! Always use encrypted connections when transmitting sensitive information. In case you want to further secure the connection to your remote servers, build your own private VPN or use an existing free service! If you want to safely store and backup your new SSH keys, try a password manager like 1Password that also saves files for you.
If you liked this article or want to share your own experiences, comment below to get the conversation started!