I'm currently working on a Debian 13 system and troubleshooting an SSH login issue. I noticed a message saying "RSA key is not allowed" while checking the SSH logs at DEBUG3 level. Although the issue turned out to be related to incorrect permissions on the key path, I came across some info suggesting that RSA keys might be considered outdated due to security concerns, and that ED25519 keys are faster and more secure. I have some servers still using RSA keys (4096 bit) on Debian 11. Given the potential benefits of switching to ED25519, should I update all my SSH keys? Or is my existing RSA setup sufficient?
2 Answers
If your RSA key is 4096 bits, there's honestly not much reason to switch. It’s pretty secure for most applications, and moving to ED25519 might just add unnecessary work for you unless you're managing a new server setup. If you had an old 1024-bit key, then I'd say definitely switch, but with 4096, you're in a good spot.
I think it's the year 2025 now, so defaulting to ED25519 where possible makes sense. RSA is starting to feel more like a legacy option. It's still functional, but if you're setting up new servers or planning for the future, ED25519 is a safer bet.
Thank you for your answer. I appreciate your insights!