Why should I use the options, -t rsa
, -b 4096
, and -C "[email protected]"
when creating an SSH key, as instructed by github? If I create an SSH key without these options, is it less secure? If so, why?
What frustrates me about these options is that they're hard to remember (is it 4096 or 4095? Which flag went with the number and which went with the "rsa" value? Which flag went in front of my email? Wasn't it an uppercase letter?), and creating new keys can be a frequent activity, for example, if trying out bitbucket and gitlab, and different cloud hosting providers.
[update]
The man page states, "The type of key to be generated is specified with the -t option. If invoked without any arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2 connections."
Why then does the github page specify -t rsa
?
-t
and -b
are the parameters that go with the ssh-keygen utility.
-t (type)
Specifies the algorithm to be used for generating the keys.
Algorithms available are -
rsa
, dsa
, ecdsa
-b (bits)
Specifies the no. of bits for the key size.
These were 1024
, 2048
earlier.
2048 * 2 = 4096
is considered strong. Hence the recommended key size.
2048
bits is considered to be sufficient for RSA keys. This is the default key size if you don't mention the -b
flag.
rsa
- Rivest–Shamir–Adleman
dsa
- Digital Signature Algorithm. A key size of 1024 would normally be used with it.
ecdsa
- Elliptic Curve Digital Signature Algorithm - three key sizes are supported: 256, 384, and 521 bits.
As of for the different numbers in different public-key cryptographic algorithms, you will have to explore the information security/encryption/symmetric algorithms domain.
For 2021 and beyond:
RSA is now starting to be phased out in favour of Ed25519. The original question is based off of old information. Github and most people recommend now using Ed25519 if at all possible.
ssh-keygen -t ed25519 -C "[email protected]"
The default number of rounds for this is 16. You can increase the number of rounds with the -a
parameter. However, keep in mind that the more rounds the slower verification will become so logins would be a bit slower. The default 16 might be less than 1 second to login, whereas a value of 150 or more might add a few seconds or more of delay:
ssh-keygen -t ed25519 -a 100 -C "[email protected]"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With