dropbearkey
Create Dropbear SSH private keys
TLDR
Generate an SSH key of [t]ype ed25519 and write it to key [f]ile
Generate an SSH key of [t]ype ecdsa and write it to key [f]ile
Generate an SSH key of [t]ype RSA with 4096-bit key [s]ize and write it to key [f]ile
Print the private key fingerprint and public key in key [f]ile
SYNOPSIS
dropbearkey -t <type> -f <filename> [-s <bits>] [-y]
PARAMETERS
-t <type>
Specifies the type of key to generate. Supported types include: rsa, dss (for DSA), ecdsa, and ed25519. Ed25519 is generally recommended for new keys due to its security and performance characteristics.
-f <filename>
Specifies the path and filename where the generated private key will be saved. For host keys, common paths are /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, etc.
-s <bits>
Sets the size of the key in bits. This option is applicable for RSA, DSS, and ECDSA keys. For Ed25519, the key size is fixed and this option is ignored. Common sizes include 2048 or 4096 for RSA, and 256 or 384 for ECDSA.
-y
Outputs the public key to standard output (stdout) immediately after the private key has been generated and saved. The public key is typically presented in an OpenSSH-compatible format, suitable for adding to authorized_keys files.
-F
Forces overwrite of an existing key file if it already exists at the specified -f path. Use with caution.
DESCRIPTION
dropbearkey is a utility bundled with the Dropbear SSH server and client suite, designed for generating cryptographic key pairs. These key pairs consist of a private key and a public key, which are fundamental for secure communication in SSH. The primary purpose of dropbearkey is to create host keys for the Dropbear SSH server (dropbear) to identify itself to clients, and user keys for clients (dbclient) to authenticate themselves to servers.
It supports various modern and legacy cryptographic algorithms, including RSA, DSS (DSA), ECDSA, and Ed25519. While the private keys are stored in a format optimized for Dropbear's lightweight design, the public keys can be easily outputted in a format compatible with OpenSSH, making them suitable for use in ~/.ssh/authorized_keys files or for server host key verification.
dropbearkey is particularly valuable in embedded systems, routers, and low-resource environments where the full OpenSSH suite might be too large or resource-intensive. It provides the essential key management capabilities needed for Dropbear to function securely.
CAVEATS
Private keys generated by dropbearkey are in a specific format tailored for Dropbear and are not directly interchangeable with OpenSSH private keys. However, public keys can be outputted in OpenSSH format for compatibility. As with any cryptographic key, the generated private key file must be kept secure with appropriate file permissions (e.g., 600 for user keys, 600 or 640 for host keys accessible only by the Dropbear server process) to prevent unauthorized access.
KEY TYPES AND RECOMMENDATIONS
When generating keys, selecting the appropriate type is crucial. RSA and DSS (DSA) are older standards, with RSA still widely used but often requiring larger key sizes (e.g., 4096 bits) for strong security. ECDSA (Elliptic Curve Digital Signature Algorithm) offers strong security with smaller key sizes and is more performant. Ed25519 is generally considered the most modern and recommended key type, offering excellent security, speed, and resistance to certain types of cryptographic attacks, making it the preferred choice for new key generation.
USING THE PUBLIC KEY
After generating a private key (e.g., id_ed25519), the corresponding public key (e.g., id_ed25519.pub) can be extracted using dropbearkey -y -f <private_key_file>. This public key is then used for different purposes:
- For host keys: it's typically shared with clients or stored in ~/.ssh/known_hosts files on clients to verify the server's identity.
- For user keys: it's placed in the ~/.ssh/authorized_keys file on the server to allow the corresponding private key holder to authenticate without a password.
HISTORY
Dropbear was created by Matt Johnston in 2003 as a lightweight SSH server and client, specifically targeting embedded systems and environments with limited resources. dropbearkey has been an integral part of the Dropbear suite from its early development, providing the necessary functionality to generate host and user keys. Over time, it has evolved to support newer, more secure cryptographic algorithms like ECDSA and Ed25519, aligning with advancements in cryptography and security best practices while maintaining its minimal footprint.
SEE ALSO
dropbear(8), dbclient(1), ssh-keygen(1), ssh(1)