Options I Use with ssh-keygen When Creating SSH Public and Private Keys

Tadashi Shigeoka ·  Thu, February 9, 2017

I’ll introduce the options I use with the ssh-keygen command when creating SSH public and private keys.

$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/example.com -C [email protected]
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/yourname/.ssh/example.com.
Your public key has been saved in /Users/yourname/.ssh/example.com.pub.
The key fingerprint is:
SHA256:bDiAA/Rpt24cM3nlrCJBrWwsYQvass4z623oDowPIMA [email protected]
The key's randomart image is:
+---[RSA 4096]----+
|o.               |
|....o            |
|oEo=.o   .       |
|=.B.o.oo+        |
|=o.* *o.So       |
|=oo + =o.        |
|=... = .         |
|+*..o .          |
|+B*.             |
+----[SHA256]-----+

-t Specify key type (rsa/dsa) -b Specify key length -f Specify output file -C Add a new comment

$ ssh-keygen -l -f ~/.ssh/example.com
4096 SHA256:bDiAA/Rpt24cM3nlrCJBrWwsYQvass4z623oDowPIMA [email protected] (RSA)

-l Check public key information (type, fingerprint, comment, etc.)

In my personal judgment, 2048-bit RSA keys should be able to fight until 2030, so I think that's fine for the time being.

Since there’s this opinion, I’m satisfied with this approach.

Reference Information

That’s all from the Gemba.