Echo supports SSH key authentication as an alternative to passwords. This is the recommended way to connect to your servers — it's both more secure and more convenient.

Supported key types

Echo supports the following key algorithms:

• Ed25519 — recommended, modern and fast
• ECDSA (P-256)
• RSA — works but has known compatibility issues (see below)

Importing a key

1. Open Settings and go to Security then SSH Keys
2. Tap Import Key
3. Give your key a name (e.g. "MacBook" or "Work Server")
4. Paste your private key text
5. Optionally enable Require Face ID to protect this key with biometric authentication
6. Tap Import

Once imported, the key will be available when adding or editing a server. Choose SSH Key as the authentication method and select your key.

When you paste a key, Echo automatically detects the key type. If the key is in an unsupported PEM format, you'll see an inline error and a dialog with a link to help you convert it.

Converting PEM keys to OpenSSH format

Echo only supports keys in OpenSSH format (starting with -----BEGIN OPENSSH PRIVATE KEY-----). Keys in older PEM formats are detected but cannot be imported directly. Echo recognises the following unsupported PEM formats:

• PKCS#1 RSA — -----BEGIN RSA PRIVATE KEY-----
• SEC1 EC — -----BEGIN EC PRIVATE KEY-----
• PKCS#8 — -----BEGIN PRIVATE KEY----- (RSA, ECDSA, or Ed25519 — Echo inspects the key data to determine the algorithm)

To convert any of these to OpenSSH format, run the following on your Mac or Linux machine:

ssh-keygen -p -N "" -f ~/.ssh/your_key

After converting, the key file will start with -----BEGIN OPENSSH PRIVATE KEY----- and can be imported into Echo.

RSA compatibility

While Echo supports RSA keys, they have known compatibility issues with some servers. If you experience connection failures when using an RSA key, Echo will show a warning recommending you switch to a different key type.

We recommend using Ed25519 keys instead. They are more widely compatible, faster, and more secure. To generate a new Ed25519 key:

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

Then import the new key into Echo and update your server to use it. Don't forget to add the new public key to your server's ~/.ssh/authorized_keys file.

Passphrases

Echo currently supports importing unencrypted SSH keys. If your key has a passphrase, you'll need to remove it before importing:

ssh-keygen -p -N "" -f ~/.ssh/your_key

Biometric protection

When importing a key, you can enable Require Face ID (or Touch ID, depending on your device). This means every time Echo needs to use the key to connect, you'll need to authenticate with your face or fingerprint.

This is separate from the app-level biometric lock in Settings. You can use both together for extra security, or use either one independently.

Adding your key to a server

For SSH key authentication to work, the server needs to know about your key. Copy the public key and add it to the ~/.ssh/authorized_keys file on your server:

echo "your-public-key" >> ~/.ssh/authorized_keys

If authentication fails, Echo will show a dialog with a link to this page. Make sure the permissions are correct — ~/.ssh should be 700 and authorized_keys should be 600.

Connecting via Tailscale

If you're connecting to a server over Tailscale with a passwordless setup, Echo may still prompt you to enter a password. Leave the password field empty and tap Connect.

You may then be prompted to complete a second-step authorisation with Tailscale via a push notification. Complete the authorisation on your device, then try connecting again.

Managing keys

You can view and delete your imported keys from Settings → Security → SSH Keys. Deleting a key removes it from the Keychain. Any servers using that key will need to be updated with a different authentication method.