Hero Image

How to make your yubikey use modern ed25519 ssh keys

If you are using openssh 9.x or above and have a yubikey with firmware of > 5.3 then you can use ed25519 keys. Without writing a mitchner novel, ed25519 seems to be the algo of choice (in 2023 as of this time of writing) rather than the more complexy ecdsa keys as proposed by NIST. Honestly, though, we have a crypto monoculture (everyone seems to quote DJB these days) so IF there is a problem sadness. Anyways, heres the command to use it:

# Note this is for fish-shell syntax. We don't use BASH here!
ssh-keygen -t ed25519-sk -C (hostname)

Then simply cat your id_ed25519_sk.pub key and append to your authorized_keys files on various hosts. One note, if you are REALLY paranoid, put a password on the key, and enable fido PIN requirements. I just leave it w/o a password, since hopefully my desktop won't get stolen by thieves. Convenience vs security do the math.