vanity-keygen

Finds a vanity SSH ed25519 keypair. If you want your public key to contain something like pCaRR1er, run with:

$ go install github.com/pcarrier/[email protected]
$ ~/go/bin/vanity-keygen '[pP][cC][aA][rR][rR][iI1][eE][rR]'

and wait for the program to terminate, depending on your luck after tens of billions (1e10) of generations in this instance, fewer than a hundred millions (<1e8) for [Pp]ierre, and fewer than a million (<1e6) for love.

Use -threads N if you don’t want to saturate all cores.

On servers, tmux is your friend. C-b z to zoom for easy copy-paste.

Assuming you saved the private key in vanity, remember to set a passphrase with:

$ ssh-keygen -p -f vanity

Alternatively, use the comment (third) field in your .pub and authorized_keys. But where’s the fun in that?

Security

This is reminiscent of bitcoin mining. Finding a SHA-256 hash with a lot of zeroes through trial and error doesn’t make it any more prone to collisions. We are similarly using brute force to find a public key of a particular shape, which shouldn’t make the private key any more discoverable nor its security any weaker.

Do worry about a potential capture of the program’s output, and cleartext storage of the private key.

As such, don’t run this on a multi-user system for a personal keypair.

At the risk of repeating myself, do not use persistent storage that’s not encrypted or physically secured throughout its lifetime to buffer the program’s output or store the plaintext private key (however temporarily).

Of course, don’t blindly trust random strangers on the Internet. My chunk of the code, main.go, is tiny and should make for a quick read; go mod verify to ascertain vendor/ isn’t compromised, go mod graph to explore what’s there.

Not much else for me to say about your Go standard library, runtime, toolchain, OS, and hardware. Open is better. Security is hard.

Performance

According to perf top -g and Instruments.app, we’re spending the majority of the time in ed25519 arithmetic, so nothing else (use of system entropy, string manipulations, allocations, etc.) seems worth any effort.

GitHub

View Github