SSH-keygen vs OpenSSL
Posted on August 17, 2025 by Bernie Pruss
SSH Key Generation: ssh-keygen vs OpenSSL
When it comes to generating SSH keys, developers and system administrators have multiple tools at their disposal. The two most common approaches are using ssh-keygen (the standard SSH utility) and openssl (the Swiss Army knife of cryptography). While both can generate keys suitable for SSH authentication, they have distinct characteristics, use cases, and security implications.
This guide will help you understand when to use each tool and how to generate secure SSH keys with both approaches.
Overview: ssh-keygen vs OpenSSL
ssh-keygen: The Specialist
- Purpose-built for SSH key generation
- Opinionated defaults optimized for SSH use cases
- Native SSH format support (OpenSSH format)
- Integrated workflow with SSH ecosystem
OpenSSL: The Generalist
- Multi-purpose cryptographic toolkit
- Fine-grained control over key parameters
- Multiple output formats (PEM, DER, PKCS#8, etc.)
- Broader cryptographic capabilities
Key Generation Methods
Using ssh-keygen
The standard approach for SSH key generation:
# Generate RSA key (traditional, widely compatible)
ssh-keygen -t rsa -b 4096 -C "user@example.com"
# Generate Ed25519 key (modern, recommended)
ssh-keygen -t ed25519 -C "user@example.com"
# Generate ECDSA key (alternative modern option)
ssh-keygen -t ecdsa -b 521 -C "user@example.com"
# Advanced: Generate with specific filename and no passphrase
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_github -N "" -C "github-deploy-key"Using OpenSSL
OpenSSL requires a two-step process for SSH keys:
# Step 1: Generate private key
openssl genpkey -algorithm RSA -pkcs8 -out private_key.pem -aes256 -pkeyopt rsa_keygen_bits:4096
# Step 2: Extract public key in SSH format
ssh-keygen -y -f private_key.pem > public_key.pub
# Alternative: Generate Ed25519 key
openssl genpkey -algorithm Ed25519 -out ed25519_key.pem
ssh-keygen -y -f ed25519_key.pem > ed25519_key.pub
# Generate ECDSA key
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp521r1 -out ecdsa_key.pem
ssh-keygen -y -f ecdsa_key.pem > ecdsa_key.pubSecurity Considerations
Algorithm Strength Comparison
| Algorithm | Key Size | Security Level | Performance | Compatibility |
|---|---|---|---|---|
| Ed25519 | 256-bit | Excellent | Excellent | Modern systems |
| ECDSA P-521 | 521-bit | Excellent | Very Good | Most systems |
| RSA | 4096-bit | Very Good | Good | Universal |
| ECDSA P-256 | 256-bit | Good | Very Good | Most systems |
Recommended Security Practices
For Maximum Security (Ed25519)
# ssh-keygen approach (recommended)
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519_secure -C "secure-key-$(date +%Y%m%d)"
# OpenSSL approach
openssl genpkey -algorithm Ed25519 -out ~/.ssh/id_ed25519_openssl.pem
chmod 600 ~/.ssh/id_ed25519_openssl.pem
ssh-keygen -y -f ~/.ssh/id_ed25519_openssl.pem > ~/.ssh/id_ed25519_openssl.pubFor Maximum Compatibility (RSA)
# ssh-keygen approach
ssh-keygen -t rsa -b 4096 -a 100 -f ~/.ssh/id_rsa_compat -C "compat-key-$(date +%Y%m%d)"
# OpenSSL approach with PKCS#8 format
openssl genpkey -algorithm RSA -pkcs8 -out ~/.ssh/id_rsa_openssl.pem \
-aes256 -pkeyopt rsa_keygen_bits:4096
chmod 600 ~/.ssh/id_rsa_openssl.pem
ssh-keygen -y -f ~/.ssh/id_rsa_openssl.pem > ~/.ssh/id_rsa_openssl.pubFormat Differences and Compatibility
ssh-keygen Output Formats
# Private key (OpenSSH format)
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcn
...
-----END OPENSSH PRIVATE KEY-----
# Public key (SSH format)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... user@example.comOpenSSL Output Formats
# Private key (PKCS#8 format)
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI...
-----END ENCRYPTED PRIVATE KEY-----
# Public key (after ssh-keygen conversion)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...Converting Between Formats
# Convert OpenSSL private key to OpenSSH format
ssh-keygen -p -m OpenSSH -f openssl_key.pem
# Convert OpenSSH private key to PKCS#8 format
ssh-keygen -p -m PKCS8 -f openssh_key
# Extract public key from any private key format
ssh-keygen -y -f private_key > public_key.pubUse Case Scenarios
When to Use ssh-keygen
Recommended for:
- Standard SSH authentication setup
- Git repository access (GitHub, GitLab, etc.)
- Server-to-server authentication
- Developer workstation setup
- Automated deployment scripts
Example: GitHub SSH key setup
# Generate key specifically for GitHub
ssh-keygen -t ed25519 -f ~/.ssh/github_key -C "github-access-$(whoami)"
# Add to SSH config
cat >> ~/.ssh/config << EOF
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/github_key
IdentitiesOnly yes
EOF
# Add public key to GitHub (copy output to GitHub settings)
cat ~/.ssh/github_key.pubWhen to Use OpenSSL
Recommended for:
- Integration with PKI infrastructure
- Certificate-based authentication systems
- Custom cryptographic applications
- Cross-platform compatibility requirements
- When you need specific key formats (PKCS#8, PKCS#12)
Example: Enterprise PKI integration
# Generate key compatible with enterprise PKI
openssl genpkey -algorithm RSA -pkcs8 -out employee_key.pem \
-aes256 -pkeyopt rsa_keygen_bits:4096
# Generate certificate signing request
openssl req -new -key employee_key.pem -out employee_csr.pem \
-subj "/C=US/ST=State/L=City/O=Company/CN=employee.company.com"
# Convert for SSH use
ssh-keygen -y -f employee_key.pem > employee_key.pubPerformance Comparison
Key Generation Speed
# Benchmark key generation (run multiple times)
time ssh-keygen -t ed25519 -f /tmp/test_ed25519 -N ""
time openssl genpkey -algorithm Ed25519 -out /tmp/test_openssl_ed25519.pem
# Clean up
rm /tmp/test_*Typical Results:
- Ed25519: ssh-keygen (~0.1s), OpenSSL (~0.1s)
- RSA 4096: ssh-keygen (~2s), OpenSSL (~3s)
- ECDSA P-521: ssh-keygen (~0.2s), OpenSSL (~0.3s)
Best Practices Summary
For Most Users (Recommended)
# Modern, secure, fast
ssh-keygen -t ed25519 -a 100 -C "$(whoami)@$(hostname)-$(date +%Y%m%d)"For Enterprise Environments
# RSA for compatibility, strong encryption
ssh-keygen -t rsa -b 4096 -a 100 -C "enterprise-key-$(date +%Y%m%d)"For Automated Systems
# No passphrase, specific filename
ssh-keygen -t ed25519 -f /opt/app/.ssh/deploy_key -N "" -C "deploy-$(hostname)"Security Checklist
- ✅ Use Ed25519 for new keys (or RSA 4096+ for compatibility)
- ✅ Always use strong passphrases for interactive keys
- ✅ Use unique keys for different services/purposes
- ✅ Regularly rotate keys (annually for high-security environments)
- ✅ Store private keys with appropriate permissions (600)
- ✅ Use SSH agent for passphrase management
- ✅ Monitor key usage and disable unused keys
Conclusion
Both ssh-keygen and OpenSSL are capable tools for SSH key generation, but they serve different purposes:
- Choose ssh-keygen for straightforward SSH authentication needs. It’s optimized for SSH use cases, has sensible defaults, and integrates seamlessly with the SSH ecosystem.
- Choose OpenSSL when you need fine-grained control over key parameters, specific output formats, or integration with broader PKI infrastructure.
For most developers and system administrators, ssh-keygen with Ed25519 keys provides the best balance of security, performance, and compatibility. Reserve OpenSSL for specialized use cases where its additional flexibility is required.
The most important factor isn’t which tool you choose, but that you follow security best practices: use strong algorithms, protect private keys with appropriate permissions and passphrases, and maintain good key hygiene through regular rotation and monitoring.