I wrote a script on this but of course I forgot how it all works. The brief summary is that there is a new encryption scheme that is supposed to be better than RSA called elliptical encryption using a curve handily named ED25519. It needs at least OpenSSL 5.7 or 6.5. The other great thing about it is that it switches to using bcrypt for on disk encryption which is much better than MD5 that is used by default. You can figure out your version with:
Using is it a little tricky because the tools don’t work super well, but ssh.com explains at a high level, but the one liner to generate an ED25519 file is to use -t to specify the new ed25519 type, then -f to say where the file goes. I like to have a different private key for each server I logon to so that I can invalidate it. The -a says how many rounds of bcrypt to use the default is 16, so 256 will take several seconds on even a fast machine making brute forcing hard and finally the -C is the comment line that goes into the file, so as a sample. I like to use a particular form for this so I can remember what the encryption is basically the email-server and then the id_ed25519 which tells you what the encryption is, so this one liner would generate something that connects to a server called test.com
ssh-keygen -t ed25519 -f “.email@example.com_ed25519” -a 256 -C firstname.lastname@example.org
Once you get this encryption you should have these files, but the question is where to put them long term. Here I use 1Password to store them in a secure note, so I put in the private key, the .pub (which is the public version), the fingerprint as well. This makes it very handy to move around and it is doubly secured on disk. I also put in the password for the key itself in the 1Password.
The last step is to connect your invocation of ssh to these keys. You need to edit on your client machine the file ~/.ssh/config and add a line that looks like this so that when you get to test.com, you give it the right key. This is way more than normal. Most folks have just a single id_rsa that they use for everything, but this is more secure.
Then on the server side, you need to add it to create the user and then add the .pub file to the authorized key list. On ubuntu this works like this to add a new user with prompts and then add that user to the sudo list and then get rid of the actual login password so you can only get in with ssh keys (be careful about this one!)
useradd rich -d /home/rich -m
adduser rich sudo
Finally to that user, you need to add into
~rich/.ssh/authorized_keys the line which is the .pub file
Then put a passwordless sudo in by adding a file to /etc/sudoers.d with the line
rich ALL=(ALL:ALL) NOPASSWD:ALL
The last step is not having to remember the password each time. There is a nice utility called ssh-add which does this so that it remembers your password each time. If you want to be super convenient, then you can use ssh-agent which you use when at each login by putting a .bashrc file entry like: