Is it safe to generate keys in a browser?

Yes, this tool uses the `crypto.subtle` implementation provided by your browser to ensure cryptographically secure random number generation. The keys are processed entirely on your machine and are never sent to our servers.

What is the difference between the seed and the private key?

A seed is a 32-byte value used to derive the key pair, while the private key is the expanded 64-byte format used for signing. Both must be kept secret to maintain the security of your identity.

Can I use these keys for SSH or Git?

Yes, Ed25519 is widely supported by OpenSSH and Git providers like GitHub or GitLab. You may need to format the output into a specific `id_ed25519` file structure or use a conversion utility for compatibility.

How do I verify a signature?

To verify a signature, you need the original message, the signature hex string, and the sender's public key. If the signature matches these components, it proves the message was not altered and was signed by that specific key holder.

Free Ed25519 Key Generator & Signer

Understanding Ed25519

A signature scheme small enough to fit, fast enough to default.

Why Ed25519 replaced RSA for SSH and Git, what makes its 32-byte keys safe at ~128-bit security, and where it still doesn't fit.

An EdDSA over Curve25519.

Ed25519 is the Edwards-curve Digital Signature Algorithm applied to Daniel Bernstein's Curve25519. The curve was published in 2005, the signature scheme in 2011, and the combined Ed25519 became the default modern signature scheme in OpenSSH (2014), libsodium, WireGuard, Tor, signal-protocol, and most cryptocurrency wallets that aren't using secp256k1 for historical reasons.

32 bytes, 128-bit security.

Public key: 32 bytes. Private key: 32 bytes of seed (the actual scalar and prefix are derived). Signature: 64 bytes. Security level: ~128 bits, equivalent to a 3072-bit RSA key. The size compression is the headline story — an Ed25519 SSH public key fits on one terminal line, whereas an RSA-3072 key wraps several times. Wire formats that have to carry signatures (JWTs, certificates, blockchain transactions) save real bandwidth.

Deterministic signatures.

Unlike ECDSA, which requires a fresh random nonce per signature (a famous source of private-key leaks when implementations got it wrong — the PlayStation 3 hack), Ed25519 derives the nonce deterministically from a hash of the message and the private key. Same message, same key, always the same signature. No RNG dependency at sign time. That single property eliminates a whole category of implementation bugs.

A worked keygen.

Generate a 32-byte random seed; hash with SHA-512 to derive the 32-byte scalar (with three bit-clamps for safety) and the 32-byte prefix. Compute the public key as scalar × G, the curve base point. Output: 32 random bytes are all that need persisting; the rest is reproducible. OpenSSH stores keys as base64-encoded OpenSSH format:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... — ~70 characters total.

Generate Ed25519 keypair

32 random bytes → keypair

Seed → SHA-512 → scalar × G.

32-byte private + 32-byte public ; 64-byte signature

= Smallest mainstream signature scheme

Where Ed25519 doesn't fit.

TLS certificates only got Ed25519 support in 2018 (OpenSSL 1.1.1, RFC 8410), and adoption is still patchy in CA-issued certificates. Smart cards and HSMs were ECDSA-only for years. Older FIPS 140-2 configurations forbid it. Some Active Directory and Windows infrastructure doesn't recognise Ed25519 SSH keys. For anything customer-facing, check the receiving end's support before defaulting.

X25519 is the sibling.

Ed25519 signs; X25519 does Diffie-Hellman key agreement. Same curve, different algorithm. WireGuard uses X25519 for its handshake, Signal for its X3DH protocol, TLS 1.3 as the most common key-exchange curve. The convergence on Curve25519 across signing and DH means a single primitive supports most of modern public-key crypto. When in doubt, the answer is "use the 25519 family".

Ed25519 Key Generator & Signer