What are the recommended arguments for ssh-keygen?

What are the recommended arguments to ssh-keygen for generating a secure ssh keypair these days? The default appears to be 2048 bit RSA, good enough?

I'm using OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012.


The default 2048 bit RSA is considered safe until 2030. If that is good enough for you you can generate your keys with the following command:

ssh-keygen -f $HOME/.ssh/rsa_key_file_2048

If you require a key that is safe beyond 2030 a longer key is recommended (3072 bit should suffice). You can define the key size with the -b argument:

ssh-keygen -t rsa -b 3072 -f $HOME/.ssh/rsa_key_file_3072

The result of the commands are two files: the private key as defined by the -f argument, and the public key with the extension .pub.


Here is a simple one,

ssh-keygen -t rsa -b 4096 -C [email protected]

-t is the cryptographic algorithm

-b is the byte size of key (I won't recommend using 2048)

-C is comment. Please read below portion to understand significance of comment.

ssh-keygen will by default write keys in an OpenSSH-specific format. This format is preferred as it offers better protection for keys at rest as well as allowing storage of key comments within the private key file itself. The key comment may be useful to help identify the key. The comment is initialized to “user@host” when the key is created, but can be changed using the -c option.