Replay

SSH Keys

Echo supports SSH key authentication as an alternative to passwords. This is the recommended way to connect to your servers — it's both more secure and more convenient.

Supported key types

Echo supports the following key algorithms:

  • Ed25519 — recommended, modern and fast
  • ECDSA (P-256, P-384, P-521)
  • RSA — works but has known compatibility issues (see below)

Supported key formats

Echo can import keys in the following formats:

  • OpenSSH -----BEGIN OPENSSH PRIVATE KEY-----
  • PKCS#8 -----BEGIN PRIVATE KEY----- (RSA, ECDSA, or Ed25519 — Echo inspects the key data to determine the algorithm)
  • PKCS#8 encrypted -----BEGIN ENCRYPTED PRIVATE KEY-----
  • SEC1 EC -----BEGIN EC PRIVATE KEY-----

The only PEM format that is not supported is PKCS#1 RSA (-----BEGIN RSA PRIVATE KEY-----). If you have a key in this format, you'll need to convert it:

Convert a PKCS#1 RSA key to OpenSSH format:
cp ~/.ssh/your_key ~/.ssh/your_key.bak
ssh-keygen -p -N "" -f ~/.ssh/your_key
The first command will backup your original key.

Importing a key

  1. Open Settings and go to Security then SSH Keys
  2. Tap Import Key
  3. Give your key a name (e.g. "MacBook" or "Work Server")
  4. Paste your private key text
  5. If the key is encrypted, Echo will detect this and show a passphrase field — enter your passphrase to decrypt the key
  6. Optionally enable Require Face ID to protect this key with biometric authentication
  7. Tap Import

Once imported, the key will be available when adding or editing a server. Choose SSH Key as the authentication method and select your key.

When you paste a key, Echo automatically detects the key type and format. If the key is in PKCS#1 RSA format, you'll see an inline error with instructions to convert it.

Passphrases

Echo supports importing encrypted SSH keys. When you paste an encrypted key, Echo detects the encryption and shows a passphrase field. Enter your passphrase to decrypt the key during import.

The following encrypted key formats are supported:

  • OpenSSH encrypted — keys encrypted with ssh-keygen (bcrypt KDF + AES-CTR/CBC)
  • PKCS#8 encrypted — keys starting with -----BEGIN ENCRYPTED PRIVATE KEY----- (PBKDF2 + AES-CBC)

If you enter the wrong passphrase, Echo will show an error message. Once successfully decrypted and imported, the key is stored securely in the iOS Keychain — you won't need to enter the passphrase again.

You can still optionally protect access to the key with Face ID or Touch ID for an extra layer of security on-device.

RSA compatibility

While Echo supports RSA keys, they have known compatibility issues with some servers. Modern OpenSSH servers (version 8.8 and later) disable SHA-1 RSA signatures by default, and Echo currently signs with ssh-rsa (SHA-1). This means connections may fail unless the server has been configured to re-enable SHA-1 RSA.

If you experience connection failures when using an RSA key, Echo will show a warning recommending you switch to a different key type.

We recommend using Ed25519 keys instead. They are more widely compatible, faster, and more secure. To generate a new Ed25519 key:

Generate a new Ed25519 key:
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

Then import the new key into Echo and update your server to use it. Don't forget to add the new public key to your server's ~/.ssh/authorized_keys file.

Biometric protection

When importing a key, you can enable Require Face ID (or Touch ID, depending on your device). This means every time Echo needs to use the key to connect, you'll need to authenticate with your face or fingerprint.

This is separate from the app-level biometric lock in Settings. You can use both together for extra security, or use either one independently.

Adding your key to a server

For SSH key authentication to work, the server needs to know about your key. Copy the public key and add it to the ~/.ssh/authorized_keys file on your server:

Append your public key to the server:
echo "your-public-key" >> ~/.ssh/authorized_keys

If authentication fails, Echo will show a dialog with a link to this page. Make sure the permissions are correct — ~/.ssh should be 700 and authorized_keys should be 600.

Connecting via Tailscale

If you're connecting to a server over Tailscale with a passwordless setup, Echo may still prompt you to enter a password. Leave the password field empty and tap Connect.

You may then be prompted to complete a second-step authorisation with Tailscale via a push notification. Complete the authorisation on your device, then try connecting again.

Managing keys

You can view and delete your imported keys from Settings → Security → SSH Keys. Deleting a key removes it from the Keychain. Any servers using that key will need to be updated with a different authentication method.