The SSH KeyGen Security Option You Probably Aren't Using

Everyone knows how to generate a new SSH key:

ssh-keygen -t ed25519

(you really should be using ed25519 if your environment supports it).

What most people don’t realize is that you can make your private key more robust against brute forcing if an unauthorized party gets access to it with a single additional option.

That option is the -a <NUMBER> option. This option tells ssh-keygen to use the number specified of Key Derivation Rounds to use when generating the key. E.g.:

ssh-keygen -a 100 -t ed25519

This should be thought of as the number of times that the private key is repeatedly encrypted.

This also forces those same number of rounds to be used when the private key is decrypted when you use it. This increases the amount of CPU power needed to decrypt the key and will radically slow down brute forcing attempts.

It also slows down using the key.

The amount of time is slows down is a function of the number of rounds you specify. The higher the number the slower it will be.

You should experiment on your local system to find a number that is comfortable for you. On my local system 200 rounds takes around 2 seconds to add they key to my SSH agent.

As this is only usually done once per day when I add my private key to my ssh-agent it is not onerous at all.