For a long time, I wanted to switch all my SSH keys from rsa to ed25519.

A lot of online tutorials default to rsa cipher, which generates long and potentially less secure keys. I was once a victim of such crap. Fortunately, there is an alternative: ed25519.

ed25519 generates much shorter public keys, and the encryption speed is apparently faster than rsa. Why do those tutorials keep recommending rsa anyway?

However, I had to keep using my old SSH keys, since some of my old servers still use the old key. This is easy to solve in Linux: Just use the old and new keys in parallel.

Unortunately I also have a MacBook. Since macOS is a Unix system, the procedures for generating and using multiple keys should be common.

So I tried to use the standard procedures from Linux.

Generating SSH keys

ed25519 is definitely worth it.

ssh-keygen -t ed25519 -f ~/.ssh/new_key

In Linux, the new key should work automatically. I assumed that macOS’s SSH would also work that way. So I was perplexed when my servers did not recognize the new keys.

After searching for a few days, I found out the issue: macOS’s SSH uses keyrings. You need to manually add generated SSH keys to the keyring.

Add new key to macOS keychain

Note that some macOS system might have a different version of ssh-add. It is required to use the version bundled with macOS. Thus the /usr/bin/ssh-add.

/usr/bin/ssh-add -K ~/.ssh/new_key

Now you have your new ed25519 SSH keys. In my experience, this results in faster initial connection latency. And shorter pubkey is just better.