Tutorials
Better SSH keys for gitlab and other git repositories
RSA still works, but there are safer and more modern options you should consider for SSH keys, especially for GitLab.
Recommended (Best Practice Today)
Ed25519 (most secure & efficient)
This is the preferred option unless you must support very old systems.
ssh-keygen -t ed25519 -f ~/.ssh/second-account -C "user-2@example.com"
Why Ed25519?
- Strong modern cryptography
- Much smaller keys
- Faster authentication
- Resistant to many implementation pitfalls
- Fully supported by GitLab, OpenSSH, and modern OSes
This should be your default choice in 2025.
If Ed25519 Is Not Available
RSA with a stronger key
If you must use RSA (e.g. legacy systems, older hardware security modules):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/second-account -C "user-2@example.com"
Notes:
- 4096 bits is the current safe minimum
- Slower and larger than Ed25519
- Avoid RSA keys smaller than 3072 bits
Advanced / High-Security Options
FIDO2 / Hardware-backed keys (best for security-conscious users)
If you have a YubiKey or similar device:
ssh-keygen -t ed25519-sk -f ~/.ssh/second-account -C "user-2@example.com"
or
ssh-keygen -t ecdsa-sk -f ~/.ssh/second-account -C "user-2@example.com"
Benefits:
- Private key never leaves hardware
- Phishing-resistant
- Strong protection against key theft
Requires:
- FIDO2-compatible hardware
- OpenSSH ≥ 8.2
- GitLab supports this ✔
What to Avoid
| Algorithm | Why |
|---|---|
dsa |
Broken / deprecated |
ecdsa |
OK but trickier and less robust than Ed25519 |
rsa -b 2048 |
Increasingly discouraged |
Recommended Setup for Multiple GitLab Accounts
Since you’re a DevOps engineer and already managing multiple accounts, pair this with an SSH config:
Host gitlab-second
HostName gitlab.com
User git
IdentityFile ~/.ssh/second-account
IdentitiesOnly yes
Then use:
git clone git@gitlab-second:group/repo.git
TL;DR (What should you use?)
- Best:
ed25519 - Best + hardware:
ed25519-sk - Fallback:
rsa -b 4096