Check your SSH key strength
Check the algorithm and key size of your existing keys:
ssh-keygen -l -f ~/.ssh/id_ed25519
ssh-keygen -l -f ~/.ssh/id_ecdsa
The output shows the key size (first number) and algorithm type.
Recommended key standards
Use these minimum key sizes and algorithms:
✅ Recommended (Strong)
- Ed25519: 256 bits (modern, fast, secure)
- RSA: 4096 bits minimum
- ECDSA: 521 bits (P-521 curve)
⚠️ Acceptable (Minimum)
- RSA: 2048 bits (legacy systems only)
- ECDSA: 384 bits (P-384 curve)
❌ Weak (Replace immediately)
- RSA: Less than 2048 bits
- DSA: Any size (deprecated algorithm)
- ECDSA: 256 bits or smaller
Generate new strong SSH keys
Create new keys with strong encryption:
Ed25519 (Recommended)
Modern, fast, and cryptographically secure.
RSA 4096-bit
Use when Ed25519 is not supported by target systems.
ECDSA P-521
Alternative to RSA for older systems that don't support Ed25519.
Verify your keys online
Check the strength of keys you use on public services:
- Visit aremykeyssafe.com
- Enter your username from GitHub, GitLab, or other services
- Review the security report for your public keys
Replace weak keys
If you have weak keys, generate new ones and update all systems:
- Generate a new strong key using the commands above
- Add the new public key to all servers and services
- Test SSH access with the new key
- Remove the old weak key from servers
- Delete the old weak key files from your system
Migration Strategy
When replacing weak keys, gradually migrate rather than doing everything at once. Start with the most critical systems and work your way down to ensure you don't lock yourself out.
Future-Proofing
Choose Ed25519 for new keys whenever possible. It's the most modern algorithm with excellent security properties and performance characteristics.
Key Management
Keep track of where each key is used and regularly audit your SSH keys. Remove unused keys and rotate them periodically as part of good security hygiene.