Creating FIDO2 SSH Keys

Secure your SSH keys with a FIDO2 security key

Featured image for Creating FIDO2 SSH Keys

If you're on macOS, you'll first need to upgrade OpenSSH, which I've detailed in a separate article.

Plug in your security key, then generate a ed25519-sk or ecdsa-sk public key. The -sk stands for "security key". If your YubiKey is running firmware version 5.2.3 or newer, use the ed25519-sk key type. Otherwise, use the ecdsa-sk key type.

Additionally, choose whether you want to use the security key as a resident key, or a non-resident key. A resident key stores the private key on the security key, which may not be supported by all security keys and may also be limited in capacity (the YubiKey 5 series is limited to 25 resident keys — source). A resident key can also reduce the security of your SSH key if the security key is stolen. Ensure you have a good PIN set. A non-resident key requires you to send the key to the hosts you would like to authenticate to.

To generate a non-resident key, use one of the following:

ssh-keygen -t ed25519-sk -f ~/.ssh/ed25519_sk
ssh-keygen -t ecdsa-sk -f ~/.ssh/ecdsa_sk

To generate a resident key, use one of the following:

ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/ed25519_sk
ssh-keygen -t ecdsa-sk -O resident -f ~/.ssh/ecdsa_sk

The -f parameter tells ssh-keygen to store the key in a specific place.

If you generated a non-resident key, use ssh-copy-id to transfer the key to the host you would like to access:

ssh-copy-id -i ~/.ssh/key-name user@host


To connect to one of your hosts after sending your SSH key over, use ssh with the -i option.

ssh -i ~/.ssh/key-name user@host

You should see a message like the following:


Click the button on your security key. Then, you should see "User presence confirmed", at which point you should be logged in.


If you have any questions or need any help, feel free to contact me on Twitter or Mastodon.

If you have any improvements to any of my articles or notes, please submit a pull request.

Thank you for reading!