These seem to be the current best options, thoughts?
ssh-keygen -t ed25519 -o -a 100 # Higher security
ssh-keygen -t rsa -b 4096 -o -a 100 # Higher compatibility
Current ssh-keygen defaults for t b a: -t rsa -b 3072 -a 100
-o isn’t in the man page, it insures the private-key is using the new OpenSSH format though that’s probably for older versions of ssh-keygen, likewise with -a 100.
-a (better description): The number of KDF (Key Derivation Function) rounds. Higher numbers result in slower passphrase verification, increasing the resistance to brute-force password cracking should the private-key be stolen
Resources:
encryption - What are ssh-keygen best practices? - Information Security Stack Exchange
encryption - What's the difference between id_rsa.pub and id_dsa.pub? - Stack Overflow
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Upgrade Your SSH Key to Ed25519. If you’re a DevOps engineer or a web… | by Risan Bagja | Code | Medium