Migrate a VPS from RSA to ed25519 keys
When it comes to SSH keys, there are several different types you can use, including RSA and ed25519. While RSA keys have been the standard for many years, ed25519 keys are now considered the recommended key type for several reasons.
One major advantage of ed25519 keys is that they are generally shorter in length than RSA keys while still offering the same level of security, if not greater.
Because of that, I've decided to switch RSA keys to ed25519 ones on all my virtual private servers.
In this guide, we will go through the creation of ed25519 keys and we will see how to deploy them along with the RSA key to enable ssh access with both of them.
Backup the authorized_key file
Before we start, connect to your VPS and make a copy of your old authorized_key
file:
cp authorized_keys authorized_keys_back
This will allow us to quickly restore the previous configuration if something goes wrong.
Create an ed25519 key
Next, on your desktop create a new ed25519 key. This can be done by following these steps:
mkdir ~/.ssh/mynewkey/
Set the directory visible to you only:
chmod 700 ~/.ssh/mynewkey/
Generate the ed25519 key and set a passphrase. We recommend using a different passphrase for each key to make it easier to recognize which key you're using:
ssh-keygen -a 100 -t ed25519 -f ~/.ssh/mynewkey/id_ed25519 -C "user@mail.com"
Set read-only permission to everyone (yourself included) to private keys:
chmod 400 ~/.ssh/mynewkey/*
Copy the key to the target host
Before we start check the ~/.ssh/config
file, be sure to have already an ssh endpoint for your server like the following:
Host myvps
Hostname 123.123.123.123
Port 22
User user
IdentityFile ~/.ssh/oldkey/id_rsa
The ed25519 key you have just generated has to be copied to the target server, we will use the ssh-copy-id
command:
ssh-copy-id -f -i ~/.ssh/mynewkey/id_ed25519.pub myvps
Ssh-copy-id will connect to the server using the RSA key and will append the new public ed25519 key to the authorized_key
file.
Connect with the ed25519 key
To use the new key you need to update the ~/.ssh/config
and specify the new Identity file:
Host myvps
Hostname 123.123.123.123
Port 22
User user
# IdentityFile ~/.ssh/oldkey/id_rsa
IdentityFile ~/.ssh/mynewkey/id_ed25519
Now, you can connect to your VPS using your new key and passphrase:
ssh myvps
Finally, to secure your authorized_key
file set the read-only permission on the target host:
chmod 400 authorized_keys
Conclusions
You have learned how to create an ed25519 key and deploy it along with an existing RSA key. Having the chance to connect with two different keys to a server allows one to gradually adopt a new key over the old one.
Finally, to complete the migration delete the old RSA key manually on the remote server:
SSH to your server.
Edit ~/.ssh/authorized_keys.
Remove the line containing the RSA key.