When it comes to SSH keys, there are several different types you can use, including RSA and ed25519. While RSA keys have been the standard for many years, ed25519 keys are now considered the recommended key type for several reasons.

One major advantage of ed25519 keys is that they are generally shorter in length than RSA keys while still offering the same level of security, if not greater.

Because of that, I've decided to switch RSA keys to ed25519 ones on all my virtual private servers.

In this guide, we will go through the creation of ed25519 keys and we will see how to deploy them along with the RSA key to enable ssh access with both of them.

Backup the authorized_key file

Before we start, connect to your VPS and make a copy of your old authorized_key file:

cp authorized_keys authorized_keys_back

This will allow us to quickly restore the previous configuration if something goes wrong.

Create an ed25519 key

Next, on your desktop create a new ed25519 key. This can be done by following these steps:

mkdir ~/.ssh/mynewkey/

Set the directory visible to you only:

chmod 700 ~/.ssh/mynewkey/

Generate the ed25519 key and set a passphrase. We recommend using a different passphrase for each key to make it easier to recognize which key you're using:

ssh-keygen -a 100 -t ed25519 -f ~/.ssh/mynewkey/id_ed25519 -C "user@mail.com"

Set read-only permission to everyone (yourself included) to private keys:

chmod 400 ~/.ssh/mynewkey/*

Copy the key to the target host

Before we start check the ~/.ssh/config file, be sure to have already an ssh endpoint for your server like the following:

Host myvps
   Hostname 123.123.123.123
   Port 22
   User user
   IdentityFile ~/.ssh/oldkey/id_rsa

The ed25519 key you have just generated has to be copied to the target server, we will use the ssh-copy-id command:

ssh-copy-id -f -i ~/.ssh/mynewkey/id_ed25519.pub myvps

Ssh-copy-id will connect to the server using the RSA key and will append the new public ed25519 key to the authorized_key file.

Connect with the ed25519 key

To use the new key you need to update the ~/.ssh/config and specify the new Identity file:

Host myvps
   Hostname 123.123.123.123
   Port 22
   User user
#  IdentityFile ~/.ssh/oldkey/id_rsa
   IdentityFile ~/.ssh/mynewkey/id_ed25519

Now, you can connect to your VPS using your new key and passphrase:

ssh myvps

Finally, to secure your authorized_key file set the read-only permission on the target host:

chmod 400 authorized_keys

Conclusions

You have learned how to create an ed25519 key and deploy it along with an existing RSA key. Having the chance to connect with two different keys to a server allows one to gradually adopt a new key over the old one.

Finally, to complete the migration delete the old RSA key manually on the remote server:

1. SSH to your server.

2. Edit ~/.ssh/authorized_keys.

3. Remove the line containing the RSA key.