DO Ideas 2

Support ed25519 SSH keys

ed25519 keys are short, standard, and secure. The response in https://digitalocean.uservoice.com/forums/136585-digitalocean/suggestions/5915081-support-ed25519-ssh-keys is incorrect, as pointed out in its comments; ed25519 support is built into OpenSSH 6.5 and later.

  • -
  • Sep 11 2018
  • Shipped
  • Sep 11, 2018

    Admin Response

    Hi! I'm glad to say that support for ed25519 SSH keys has been rolled out to our control panel. While you can now store ed25519 public keys and add them to Droplets on create, using ed25519 keys is still dependent on distributions including OpenSSH version 6.5 or greater. While support is present in our default Ubuntu 14.04 image, some older distributions (e.g. CentOS 6 and Ubuntu 12.04) do not ship with support for ed25519. Thanks! - Andrew Starr-Bochicchio Community Manager
  • Attach files
  • Knotsies commented
    September 11, 2018 17:19

    Please add support for this. It's embarrassing that the only ECC you support is NSA developed.

  • Vartan Simonian commented
    September 11, 2018 17:19

    I just bumped into this. Please add support for ED25519! It's a real bummer managing the keys manually.

  • Painted Fox commented
    September 11, 2018 17:19

    Please add support for this.

  • Anonymous User commented
    September 11, 2018 17:19

    Agreed. I've migrated fully to ed25519 and it's frustrating that I now have to create a special keypair just for spinning up new droplets.

  • Kevin Gallagher commented
    September 11, 2018 17:19

    Just do it already!

  • Julien Roger commented
    September 11, 2018 17:19

    I echo the comments here and also support including ed25519 key support. Not only is it a standard but it is likely the best standard currently available. It should at least be supported for instances which currently ship with OpenSSH 6.5 and above.

  • Kristian Hermansen commented
    September 11, 2018 17:19

    I agree with Kyle. It's probably a 1-line code change that any intern could do in about 15 minutes from testing to full deployment. It seems the portal merely performs a regex check and doesn't know about the ed25519 type...

  • Kyle Manna commented
    September 11, 2018 17:19

    As a follow-up, it's probably laughably simple to update the code to validate the ed25519 public keys. We're not asking for much here.

  • Kyle Manna commented
    September 11, 2018 17:19

    I'm with @md_5 here. Ed25519 is highly regarded by the crypto community as faster then RSA and more secure then ECDSA. It's is a standard an is in OpenSSH 6.5 and greater.

    To say it's not a standard is embarrassingly false.

    References:
    http://www.openssh.com/txt/release-6.5
    http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf
    http://ed25519.cr.yp.to/

  • md_5 commented
    September 11, 2018 17:19

    @moisey
    ed25519 *is* an industry standard. As of OpenSSH 6.5 (which is included by default on Ubuntu 14.04 and no doubt some of your other images), the recommended key types for SSH protocol 2 are RSA, ECDSA and ED25519. ED25519 has some really neat properties, in particular a really short public key (32 bits) whilst maintaining the security of ECDSA (its essential just EdDSA based on a specific curve).

    Its not going to get more adoption unless companies such as yourselves support it.