Merge pull request #277064 from vamckMS/linux-ed25519-update-vakavuru

Jill Grant · web-flow · commit 7294ca0b8599 · 2024-06-05T12:30:57.000-06:00
update-linux-docs-ed25519
diff --git a/articles/virtual-machines/linux-vm-connect.md b/articles/virtual-machines/linux-vm-connect.md
@@ -16,6 +16,9 @@ When hosting a Linux virtual machine on Azure, the most common method for access
 
 This document describes how to connect, via SSH, to a VM that has a public IP. If you need to connect to a VM without a public IP, see [Azure Bastion Service](../bastion/bastion-overview.md).
 
+> [!Note]
+> ED25519 SSH key support for Linux VMs is now in preview in all regions including sovereign clouds. However, Azure portal support for ED25519 is limited to Azure public cloud regions only.
+
 ## Prerequisites
 
 - You need an SSH key pair. If you don't already have one, Azure creates a key pair during the deployment process. If you need help with creating one manually, see [Create and use an SSH public-private key pair for Linux VMs in Azure](./linux/mac-create-ssh-keys.md).
@@ -61,7 +64,7 @@ If you're having trouble connecting, you can also use portal:
 Once the above prerequisites are met, you're ready to connect to your VM. Open your SSH client of choice. The SSH client command is typically included in Linux, macOS, and Windows. If you're using Windows 7 or older, where Win32 OpenSSH isn't included by default, consider installing [WSL](/windows/wsl/about) or using [Azure Cloud Shell](../cloud-shell/overview.md) from the browser.
 
 > [!NOTE]
-> The following examples assume the SSH key is in the key.pem format. If you used CLI or Azure PowerShell to download your keys, they may be in the id_rsa format.
+> The following examples assume the SSH key is in the key.pem format. If you used CLI or Azure PowerShell to download your keys, they may be in the id_rsa or ED25519 format.
 
 ## [WSL, macOS, or native Linux client](#tab/Linux)
 
diff --git a/articles/virtual-machines/linux/create-ssh-keys-detailed.md b/articles/virtual-machines/linux/create-ssh-keys-detailed.md
@@ -17,10 +17,13 @@ ms.custom: GGAL-freshness822, linux-related-content
 
 With a secure shell (SSH) key pair, you can create a Linux virtual machine that uses SSH keys for authentication. This article shows you how to create and use an SSH RSA public-private key file pair for SSH client connections.
 
-If you want quick commands rather than a more in-depth explaination of SSH keys, see [How to create an SSH public-private key pair for Linux VMs in Azure](mac-create-ssh-keys.md).
+If you want quick commands rather than a more in-depth explanation of SSH keys, see [How to create an SSH public-private key pair for Linux VMs in Azure](mac-create-ssh-keys.md).
 
 To create SSH keys and use them to connect to a Linux VM from a **Windows** computer, see [How to use SSH keys with Windows on Azure](ssh-from-windows.md). You can also use the [Azure portal](../ssh-keys-portal.md) to create and manage SSH keys for creating VMs in the portal.
 
+> [!Note]
+> ED25519 SSH key support for Linux VMs is now in preview in all regions including sovereign clouds. However, Azure portal support for ED25519 is limited to Azure public cloud regions only.
+
 [!INCLUDE [virtual-machines-common-ssh-overview](../../../includes/virtual-machines-common-ssh-overview.md)]
 
 [!INCLUDE [virtual-machines-common-ssh-support](../../../includes/virtual-machines-common-ssh-support.md)]
@@ -48,6 +51,12 @@ The following `ssh-keygen` command generates 4096-bit SSH RSA public and private
 ssh-keygen -m PEM -t rsa -b 4096
 ```
 
+The following `ssh-keygen` command generates 256-bit ED25519 public and private key files by default in the `~/.ssh` directory. If an existing SSH key pair is found in the current location, those files are overwritten.
+
+```bash
+ssh-keygen -m PEM -t ed25519
+```
+
 ### Detailed example
 The following example shows additional command options to create an SSH RSA key pair. If an SSH key pair exists in the current location, those files are overwritten. 
 
@@ -57,10 +66,19 @@ ssh-keygen \
     -t rsa \
     -b 4096 \
     -C "azureuser@myserver" \
-    -f ~/.ssh/mykeys/myprivatekey \
+    -f ~/.ssh/mykeys/myrsaprivatekey \
     -N mypassphrase
 ```
+The following example shows additional command options to create an SSH ED25519 key pair. If an SSH key pair exists in the current location, those files are overwritten. 
 
+```bash
+ssh-keygen \
+    -m PEM \
+    -t ed25519 \
+    -C "azureuser@myserver" \
+    -f ~/.ssh/mykeys/myedprivatekey \
+    -N mypassphrase
+```
 **Command explained**
 
 `ssh-keygen` = the program used to create the keys
@@ -77,7 +95,7 @@ ssh-keygen \
 
 `-N mypassphrase` = an additional passphrase used to access the private key file. 
 
-### Example of ssh-keygen
+### Example of ssh-keygen (RSA)
 
 ```bash
 ssh-keygen -t rsa -m PEM -b 4096 -C "azureuser@myserver"
@@ -102,23 +120,61 @@ The key's randomart image is:
 |           ..    |
 +----[SHA256]-----+
 ```
+### Example of ssh-keygen (ED25519)
+
+```bash
+ssh-keygen -t ed25519 -m PEM -C "azureuser@myserver"
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/azureuser/.ssh/id_rsa):
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /home/azureuser/.ssh/id_ed25519.
+Your public key has been saved in /home/azureuser/.ssh/id_ed25519.pub.
+The key fingerprint is:
+SHA256:vFfHHrpSGQBd/oNdvNiX0sG9Vh+wROlZBktNZw9AUjA azureuser@myserver
+The key's randomart image is:
++---[ED25519 256]----+
+|                 |
+|..  .            |
+|o+.o       .     |
+|*=o o   o + +    |
+|*+o+   oSB + o   |
+|**++o.+oo = .    |
+|=+*..*.o E       |
+|..  o o..        |
+|     .o.         |
++----[SHA256]-----+
+```
 
 #### Saved key files
 
 `Enter file in which to save the key (/home/azureuser/.ssh/id_rsa): ~/.ssh/id_rsa`
 
-The key pair name for this article. Having a key pair named `id_rsa` is the default; some tools might expect the `id_rsa` private key file name, so having one is a good idea. The directory `~/.ssh/` is the default location for SSH key pairs and the SSH config file. If not specified with a full path, `ssh-keygen` creates the keys in the current working directory, not the default `~/.ssh`.
+or 
+
+`Enter file in which to save the key (/home/azureuser/.ssh/id_ed25519): ~/.ssh/id_ed25519`
+
+
+The default key pair names for RSA and ED25519 are `id_rsa` and `id_ed25519` respectively; some tools might expect the `id_rsa` or `id_ed25519` private key file name, so having one is a good idea. The directory `~/.ssh/` is the default location for SSH key pairs and the SSH config file. If not specified with a full path, `ssh-keygen` creates the keys in the current working directory, not the default `~/.ssh`.
 
 #### List of the `~/.ssh` directory
 
 To view existing files in the `~/.ssh` directory, run the following command. If no files are found in the directory or the directory itself is missing, make sure that all previous commands were successfully run. You may require root access to modify files in this directory on certain Linux distributions.
 
+RSA Key pair:
 ```bash
 ls -al ~/.ssh
 -rw------- 1 azureuser staff  1675 Aug 25 18:04 id_rsa
 -rw-r--r-- 1 azureuser staff   410 Aug 25 18:04 id_rsa.pub
 ```
 
+ED25519 Key pair:
+```bash
+ls -al ~/.ssh
+-rw------- 1 azureuser staff  1675 Aug 25 18:04 id_ed25519
+-rw-r--r-- 1 azureuser staff   410 Aug 25 18:04 id_ed25519.pub
+```
+
 #### Key passphrase
 
 `Enter passphrase (empty for no passphrase):`
@@ -129,12 +185,16 @@ It is *strongly* recommended to add a passphrase to your private key. Without a
 
 If you use the [Azure CLI](/cli/azure) to create your VM, you can optionally generate both public and private SSH key files by running the [az vm create](/cli/azure/vm) command with the `--generate-ssh-keys` option. The keys are stored in the ~/.ssh directory. Note that this command option does not overwrite keys if they already exist in that location, such as with some pre-configured Compute Gallery images.
 
+> [!NOTE]
+> [az sshkey create](/cli/azure/sshkey#az-sshkey-create) command deafults to RSA encryption and cannot be use to generate ED25519 key pairs, however you can create a ED25519 key pair using ssh-keygen as described above and then use that public key to create a VM.
+
 ## Provide SSH public key when deploying a VM
 
 To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal, CLI, Resource Manager templates, or other methods. When using the portal, you enter the public key itself. If you use the [Azure CLI](/cli/azure) to create your VM with an existing public key, specify the value or location of this public key by running the [az vm create](/cli/azure/vm) command with the `--ssh-key-value` option. 
 
 If you're not familiar with the format of an SSH public key, you can see your public key by running `cat` as follows, replacing `~/.ssh/id_rsa.pub` with your own public key file location:
 
+### RSA key pair
 ```bash
 cat ~/.ssh/id_rsa.pub
 ```
@@ -149,7 +209,7 @@ If you copy and paste the contents of the public key file into the Azure portal
 
 If you prefer to use a public key that is in a multiline format, you can generate an RFC4716 formatted key in a 'pem' container from the public key you previously created.
 
-To create a RFC4716 formatted key from an existing SSH public key:
+To create an RFC4716 formatted key from an existing SSH public key:
 
 ```bash
 ssh-keygen \
@@ -158,6 +218,30 @@ ssh-keygen \
 -m RFC4716 > ~/.ssh/id_ssh2.pem
 ```
 
+### ED25519 key pair
+```bash
+cat ~/.ssh/id_ed25519.pub
+```
+
+Output is similar to the following (redacted example below):
+
+```
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6I5JuhGq3RidMNpxrplIQwEfc4Rh7UyV8JYYH2U2xA azureuser@myserver
+```
+
+If you copy and paste the contents of the public key file into the Azure portal or a Resource Manager template, make sure you don't copy any additional whitespace or introduce additional line breaks. For example, if you use macOS, you can pipe the public key file (by default, `~/.ssh/id_ed25519.pub`) to **pbcopy** to copy the contents (there are other Linux programs that do the same thing, such as `xclip`).
+
+If you prefer to use a public key that is in a multiline format, you can generate an RFC4716 formatted key in a 'pem' container from the public key you previously created.
+
+To create a PEM formatted key from an existing SSH public key:
+
+```bash
+ssh-keygen \
+-f ~/.ssh/id_ed25519.pub \
+-e \
+-m RFC4716 > ~/.ssh/id_edssh.pem
+```
+
 ## SSH to your VM with an SSH client
 With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. Replace *azureuser* and *myvm.westus.cloudapp.azure.com* in the following command with the administrator user name and the fully qualified domain name (or IP address):
 
@@ -184,6 +268,11 @@ Now add the private key to `ssh-agent` using the command `ssh-add`.
 ```bash
 ssh-add ~/.ssh/id_rsa
 ```
+or
+
+```bash
+ssh-add ~/.ssh/id_ed25519
+```
 
 The private key passphrase is now stored in `ssh-agent`.
 
diff --git a/articles/virtual-machines/linux/mac-create-ssh-keys.md b/articles/virtual-machines/linux/mac-create-ssh-keys.md
@@ -28,14 +28,23 @@ For additional ways to generate and use SSH keys on a Windows computer, see [How
 
 [!INCLUDE [virtual-machines-common-ssh-support](../../../includes/virtual-machines-common-ssh-support.md)]
 
+> [!Note]
+> ED25519 SSH key support for Linux VMs is now in preview in all regions including sovereign clouds. However, Azure portal support for ED25519 is limited to Azure public cloud regions only.
+
 ## Create an SSH key pair
 
 Use the `ssh-keygen` command to generate SSH public and private key files. By default, these files are created in the ~/.ssh directory. You can specify a different location, and an optional password (*passphrase*) to access the private key file. If an SSH key pair with the same name exists in the given location, those files are overwritten.
 
 The following command creates an SSH key pair using RSA encryption and a bit length of 4096:
 
 ```bash
-ssh-keygen -m PEM -t rsa -b 4096
+ssh-keygen -m PEM -t rsa -b 4096 -f ~/.ssh/id_rsa.pem
+```
+
+The following command creates an SSH key pair using ED25519 encryption with a fixed length of 256 bits:
+
+```bash
+ssh-keygen -m PEM -t ed25519 -f ~/.ssh/id_ed25519.pem
 ```
 
 > [!NOTE]
@@ -47,6 +56,9 @@ If you use the [Azure CLI](/cli/azure) to create your VM with the [az vm create]
 az vm create --name VMname --resource-group RGname --image Ubuntu2204 --generate-ssh-keys
 ```
 
+> [!NOTE]
+> [az sshkey create](/cli/azure/sshkey#az-sshkey-create) command deafults to RSA encryption and cannot be use to generate ED25519 key pairs, however you can create a ED25519 key pair using ssh-keygen as described above and then use that public key to create a VM.
+
 ## Provide an SSH public key when deploying a VM
 
 To create a Linux VM that uses SSH keys for authentication, specify your SSH public key when creating the VM using the Azure portal, Azure CLI, Azure Resource Manager templates, or other methods:
@@ -57,19 +69,28 @@ To create a Linux VM that uses SSH keys for authentication, specify your SSH pub
 
 If you're not familiar with the format of an SSH public key, you can display your public key with the following `cat` command, replacing `~/.ssh/id_rsa.pub` with the path and filename of your own public key file if needed:
 
+### RSA key pair
 ```bash
 cat ~/.ssh/id_rsa.pub
 ```
-
-A typical public key value looks like this example:
+A typical RSA public key value looks like this example:
 
 ```output
 ssh-rsa AAAAB3NzaC1yc2EAABADAQABAAACAQC1/KanayNr+Q7ogR5mKnGpKWRBQU7F3Jjhn7utdf7Z2iUFykaYx+MInSnT3XdnBRS8KhC0IP8ptbngIaNOWd6zM8hB6UrcRTlTpwk/SuGMw1Vb40xlEFphBkVEUgBolOoANIEXriAMvlDMZsgvnMFiQ12tD/u14cxy1WNEMAftey/vX3Fgp2vEq4zHXEliY/sFZLJUJzcRUI0MOfHXAuCjg/qyqqbIuTDFyfg8k0JTtyGFEMQhbXKcuP2yGx1uw0ice62LRzr8w0mszftXyMik1PnshRXbmE2xgINYg5xo/ra3mq2imwtOKJpfdtFoMiKhJmSNHBSkK7vFTeYgg0v2cQ2+vL38lcIFX4Oh+QCzvNF/AXoDVlQtVtSqfQxRVG79Zqio5p12gHFktlfV7reCBvVIhyxc2LlYUkrq4DHzkxNY5c9OGSHXSle9YsO3F1J5ip18f6gPq4xFmo6dVoJodZm9N0YMKCkZ4k1qJDESsJBk2ujDPmQQeMjJX3FnDXYYB182ZCGQzXfzlPDC29cWVgDZEXNHuYrOLmJTmYtLZ4WkdUhLLlt5XsdoKWqlWpbegyYtGZgeZNRtOOdN6ybOPJqmYFd2qRtb4sYPniGJDOGhx4VodXAjT09omhQJpE6wlZbRWDvKC55R2d/CSPHJscEiuudb+1SG2uA/oik/WQ== username@domainname
 ```
+### ED25519 key pair
+```bash
+cat ~/.ssh/id_ed25519.pub
+```
+A typical ED25519 public key value looks like this example:
+
+```output
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRjWGWLeiUQ3U9fNnCsNpXIyACpD/Jbm09OZGsz3DIM username@domainname
+```
 
 If you copy and paste the contents of the public key file to use in the Azure portal or a Resource Manager template, make sure you don't copy any trailing whitespace. To copy a public key in macOS, you can pipe the public key file to `pbcopy`. Similarly in Linux, you can pipe the public key file to programs such as `xclip`.
 
-The public key that you place on your Linux VM in Azure is by default stored in ~/.ssh/id_rsa.pub, unless you specified a different location when you created the key pair. To use the [Azure CLI 2.0](/cli/azure) to create your VM with an existing public key, specify the value and optionally the location of this public key using the [az vm create](/cli/azure/vm#az-vm-create) command with the `--ssh-key-values` option. In the following command, replace *myVM*, *myResourceGroup*, *UbuntuLTS*, *azureuser*, and *mysshkey.pub* with your own values:
+The public key that you place on your Linux VM in Azure is by default stored under ``~/.ssh/`` directory, unless you specified a different location when you created the key pair. To use the [Azure CLI 2.0](/cli/azure) to create your VM with an existing public key, specify the value and optionally the location of this public key using the [az vm create](/cli/azure/vm#az-vm-create) command with the `--ssh-key-values` option. In the following command, replace *myVM*, *myResourceGroup*, *UbuntuLTS*, *azureuser*, and *mysshkey.pub* with your own values:
 
 ```azurecli-interactive
 az vm create \
diff --git a/articles/virtual-machines/linux/ssh-from-windows.md b/articles/virtual-machines/linux/ssh-from-windows.md
@@ -20,6 +20,9 @@ This article is for Windows users who want to [create](#create-an-ssh-key-pair)
 
 To use SSH keys from a Linux or macOS client, see the [quick steps](mac-create-ssh-keys.md). For a more detailed overview of SSH, see [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](create-ssh-keys-detailed.md).
 
+> [!Note]
+> ED25519 SSH key support for Linux VMs is now in preview in all regions including sovereign clouds. However, Azure portal support for ED25519 is limited to Azure public cloud regions only.
+
 ## Overview of SSH and keys
 
 [SSH](https://www.ssh.com/ssh/) is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. We recommend connecting to a VM over SSH using a public-private key pair, also known as *SSH keys*.
@@ -38,6 +41,9 @@ Your public key can be shared with anyone, but only you (or your local security
 
 [!INCLUDE [virtual-machines-common-ssh-support](../../../includes/virtual-machines-common-ssh-support.md)]
 
+> [!NOTE]
+> During preview, ED25519 keys can only be used with Linux VMs.
+
 ## SSH clients
 
 Recent versions of Windows 10 include [OpenSSH client commands](https://blogs.msdn.microsoft.com/commandline/2018/03/07/windows10v1803/) to create and use SSH keys and make SSH connections from PowerShell or a command prompt.
@@ -52,7 +58,7 @@ The easiest way to create and manage your SSH keys is to [use the portal to crea
 
 You can also create key pairs with the [Azure CLI](/cli/azure) with the [az sshkey create](/cli/azure/sshkey#az-sshkey-create) command, as described in [Generate and store SSH keys](../ssh-keys-azure-cli.md).
 
-To create an SSH key pair on your local computer using the `ssh-keygen` command from PowerShell or a command prompt, type the following command:
+To create an SSH key pair on your local computer using the `ssh-keygen` command from PowerShell or a command prompt, use the following command:
 
 ```powershell
 ssh-keygen -m PEM -t rsa -b 2048
diff --git a/articles/virtual-machines/media/ssh-keys/portal-ed25519-key.png b/articles/virtual-machines/media/ssh-keys/portal-ed25519-key.png
diff --git a/articles/virtual-machines/ssh-keys-azure-cli.md b/articles/virtual-machines/ssh-keys-azure-cli.md
@@ -22,6 +22,9 @@ For more information, see [Detailed steps: Create and manage SSH keys for authen
 
 For more information on how to create and use SSH keys with Linux VMs, see [Use SSH keys to connect to Linux VMs](./linux/ssh-from-windows.md).
 
+> [!Note]
+> ED25519 SSH key support for Linux VMs is now in preview in all regions including sovereign clouds. However, Azure portal support for ED25519 is limited to Azure public cloud regions only.
+
 ## Generate new keys
 
 1. After you sign in, use the [az sshkey create](/cli/azure/sshkey#az-sshkey-create) command to create the new SSH key:
diff --git a/articles/virtual-machines/ssh-keys-portal.md b/articles/virtual-machines/ssh-keys-portal.md
@@ -25,6 +25,9 @@ You can reuse your stored keys in various of applications to fit your organizati
 
 For more detailed information about creating and using SSH keys with Linux VMs, see [Use SSH keys to connect to Linux VMs](./linux/ssh-from-windows.md).
 
+> [!Note]
+> ED25519 SSH key support for Linux VMs is now in preview in all regions including sovereign clouds. However, Azure portal support for ED25519 is limited to Azure public cloud regions only.
+
 ## Generate new keys
 
 1. Open the [Azure portal](https://portal.azure.com).
@@ -33,7 +36,7 @@ For more detailed information about creating and using SSH keys with Linux VMs,
 
 1. On the **SSH Key** page, select **Create**.
 
-   :::image type="content" source="./media/ssh-keys/portal-sshkey.png" alt-text="Create a new resource group and generate an SSH key pair":::
+   :::image type="content" source="./media/ssh-keys/portal-ed25519-key.png" alt-text="Create a new resource group and generate an SSH key pair":::
 
 1. In **Resource group** select **Create new** to create a new resource group to store your keys. Type a name for your resource group and select **OK**.
 
@@ -43,6 +46,8 @@ For more detailed information about creating and using SSH keys with Linux VMs,
 
 1. In **SSH public key source**, select **Generate public key source**. 
 
+1. In **SSH Key Type**, select either **RSA SSH Format** or **Ed25519 SSH Format** [Preview]
+
 1. When you're done, select **Review + create**.
 
 1. After it passes validation, select **Create**.
diff --git a/includes/virtual-machines-common-ssh-support.md b/includes/virtual-machines-common-ssh-support.md
