launchpadblog

Launchpad now supports the FIDO2 hardware-backed SSH key types ed25519-sk and ecdsa-sk. These keys use a hardware device, such as a YubiKey or Nitrokey, to perform cryptographic operations and keep your private keys safely off your computer. They can be used anywhere Launchpad accepts SSH authentication, including git+ssh and SFTP PPA uploads.

To generate a new key, run

ssh-keygen -t ed25519-sk -C "your@email.com"

or use ecdsa-sk for backwards compatibility. You will be asked to touch your security key during the key creation, and OpenSSH will store the resulting files in ~/.ssh/. If you want to make your key resident, meaning it can be stored on the hardware device and later retrieved even if the original files are lost, use the -O resident option:

ssh-keygen -t ed25519-sk -O resident -C "your@email.com"

Resident keys are useful if you use multiple machines or if you want a portable login method tied directly to your hardware key. To register a new key on your Launchpad account, visit https://launchpad.net/~username/+editsshkeys.

These new key types offer strong protection against key theft and phishing, but require a physical device each time you connect. It is recommended you keep a separate backup key if you use them regularly.

The introduction of security key backed SSH key types is the next step on making Launchpad even more secure. Let us know if you have any feedback!

This entry was posted by finnrg on Monday, October 27th, 2025 at 3:29 pm and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.