Security

Ed25519 vs RSA: which SSH key should you use? (2026)

Ed25519 vs RSA SSH keys compared: Ed25519 is the modern default — fast and secure at a small size; use RSA 4096 only for legacy systems. How to generate the right key, including from a phone.

CC Chen Chen· Founder·June 11, 2026·5 min read

Ed25519 vs RSA: the short answer

Use Ed25519 for your SSH keys. It's modern, fast, and secure at a tiny size, and it's the recommended default on every current system. Reach for RSA (at 3072 or 4096 bits) only when you have to talk to an old server or device that doesn't support Ed25519 yet. Both are secure when used correctly; Ed25519 is simply the better default in 2026.

Side by side

Ed25519RSA
TypeElliptic curve (EdDSA)Integer factorization
Recommended sizeFixed (256-bit curve)3072 or 4096 bits
Key size on diskTiny (~68-char public key)Large
SpeedVery fastSlower, especially at 4096
CompatibilityAll modern systemsUniversal, incl. very old
Recommendation✅ Default choiceFallback for legacy

Why Ed25519 is the default

  • Strong at a small size. A 256-bit Ed25519 key gives security comparable to a 3072-bit RSA key, with a fraction of the size.
  • Fast. Signing and verifying are quick, which is noticeable on lower-powered devices.
  • Hard to misconfigure. There's effectively one right way to make one. RSA has a size choice (and a 1024-bit RSA key is now too weak), which is one more way to get it wrong.
  • Modern default. OpenSSH and every current OS support and recommend it.

When to still use RSA

RSA's one advantage is universal compatibility. If you manage an old appliance, a legacy network device, or a server stuck on an ancient OpenSSH, it may not accept Ed25519 — and then RSA is the answer. If you do use RSA, use 4096 bits (or at least 3072); never generate a 1024-bit RSA key today. ECDSA is a third option, but most people pick Ed25519 over it for SSH.

Generating the right key

On a desktop, Ed25519 is one command:

ssh-keygen -t ed25519 -C "your label"

# only if a server can't do Ed25519:
ssh-keygen -t rsa -b 4096 -C "your label"

On a phone you don't need the command at all — a good client generates the key for you. TermAI creates an Ed25519 key by default, stores the private half in the device keychain, and can deploy the public key to a server in one tap. See how to create SSH keys on iPhone.

A connection in TermAI using key authentication
TermAI generates an Ed25519 key by default and keeps the private key on the device — the modern, recommended choice with nothing to configure.

FAQ

Is Ed25519 more secure than RSA?
At recommended sizes both are secure. Ed25519 gives strong security at a much smaller size and is the modern default; RSA needs 3072–4096 bits to match it.

Should I use Ed25519 or RSA 4096?
Ed25519, unless a specific old server can't accept it — then RSA 4096.

Is RSA 2048 still safe?
It's borderline; prefer 3072 or 4096 for new RSA keys. Better yet, use Ed25519. Never use 1024-bit RSA.

What key does TermAI create?
Ed25519 by default, stored on the device, with one-tap deploy of the public key to your server.

Quick Facts

  • Default: Ed25519 — modern, fast, secure at a small size
  • Fallback: RSA 4096 (or 3072) for legacy systems only; never 1024-bit
  • Command: ssh-keygen -t ed25519
  • On a phone: clients like TermAI generate Ed25519 for you, keys stay on-device
Try TermAI

Free on iOS and Android. 5 AI requests/day on the free tier, plus unlimited SSH/SFTP and built-in Tailscale.

Download for iOS Get on Google Play
CC
Chen Chen — Founder of TermAI

Writes about mobile DevOps, terminal UX, and the surprising depth of "boring" infrastructure.

AboutEmail
Related posts
SSH keys vs passwords: which is more secure? →How to create SSH keys on iPhone →How to disable root login over SSH →
Was this useful? ← Back to blog