Introduction
The world of cryptography is on the verge of a seismic shift. With the rapid advancement of quantum computing, traditional cryptographic algorithms that secure our digital communications—like RSA, ECDSA, and Ed25519—face an existential threat. In July 2026, GitHub took a major step forward by announcing support for post-quantum security for SSH access. This move ensures that developers can protect their SSH keys and connections against future quantum attacks. In this expert article, we'll explore what post-quantum security means for SSH, how GitHub implements it, and how you can start using it today.
Why Post-Quantum Security Matters for SSH
SSH (Secure Shell) is the backbone of secure remote access to servers, repositories, and cloud infrastructure. It relies on public-key cryptography to authenticate users and establish encrypted tunnels. The most common SSH key types—RSA, ECDSA, and Ed25519—are vulnerable to attacks using Shor's algorithm, which can efficiently factor large integers and compute discrete logarithms on a sufficiently powerful quantum computer. While such a machine doesn't exist yet, the threat is real and approaching. GitHub's announcement addresses this by introducing support for the FIPS 205 standard, specifically the SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), which is resistant to quantum attacks.
GitHub's Post-Quantum SSH Implementation
According to the official announcement on the GitHub Engineering Blog Source, GitHub now supports the ssh-slh-dsa-sha2-256 algorithm for SSH authentication. This is based on the SLH-DSA scheme, which uses hash-based cryptography—a family of algorithms believed to be secure against quantum adversaries. The implementation is backward-compatible: existing RSA or Ed25519 keys continue to work, but you can now generate and use a post-quantum key for enhanced security.
Key Details from the Announcement
- Algorithm:
ssh-slh-dsa-sha2-256(based on SLH-DSA / FIPS 205) - Key type: Stateless hash-based signature (no need to track state between signatures)
- Availability: Available for SSH access to GitHub repositories as of July 2026
- Compatibility: Requires OpenSSH 9.9 or later (released in 2025) to generate and use these keys
How to Generate and Use a Post-Quantum SSH Key for GitHub
To take advantage of this new feature, you need to update your SSH client and generate a new key pair. Here's a step-by-step guide.
Step 1: Update OpenSSH
Ensure you have OpenSSH 9.9 or later installed. On most modern Linux distributions (like Ubuntu 24.04 LTS or Fedora 40), this is available. On macOS, you may need to install via Homebrew:
brew install openssh
On Windows, use the built-in OpenSSH client in Windows 11 (version 24H2 or later) or install via the optional features.
Check your version:
ssh -V
# Should output something like: OpenSSH_9.9p1, OpenSSL 3.2.0
Step 2: Generate a Post-Quantum SSH Key
Use the ssh-keygen command with the -t option set to slh-dsa-sha2-256:
ssh-keygen -t slh-dsa-sha2-256 -C "your_email@example.com"
You'll be prompted to choose a file path and passphrase. The generated key will be larger than traditional keys—approximately 1 KB for the public key and 4 KB for the private key (compared to ~400 bytes for Ed25519).
Step 3: Add the Public Key to GitHub
- Log in to your GitHub account.
- Go to Settings > SSH and GPG keys.
- Click New SSH key.
- Paste the contents of your public key file (e.g.,
~/.ssh/id_slh-dsa-sha2-256.pub). - Save the key.
Step 4: Configure SSH to Use the New Key
Edit your ~/.ssh/config file to specify the key for GitHub:
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/id_slh-dsa-sha2-256
Step 5: Test the Connection
ssh -T git@github.com
# Should output: Hi username! You've successfully authenticated, but GitHub does not provide shell access.
If you see the welcome message, you're now using a post-quantum SSH key.
Practical Considerations
Key Size and Performance
Post-quantum keys are significantly larger than traditional ones. For example:
| Key Type | Public Key Size | Private Key Size | Signature Size |
|---|---|---|---|
| RSA-4096 | ~500 B | ~3.2 KB | ~500 B |
| Ed25519 | 32 B | 64 B | 64 B |
| SLH-DSA (FIPS 205) | 32 B | 64 B | 8 KB |
While the public key is small, signatures are large (8 KB). This may impact bandwidth and latency during authentication, but for most use cases, the difference is negligible.
Backward Compatibility
GitHub's implementation is forward-thinking: you can keep your existing keys for compatibility with older servers or tools that don't support SLH-DSA. However, for new projects or security-critical workflows, switching to a post-quantum key is a proactive measure.
Hybrid Approach
Some organizations may prefer a hybrid setup, using both a traditional key and a post-quantum key. You can configure multiple IdentityFile lines in your SSH config, but be aware that OpenSSH will try keys in order until one succeeds. To enforce post-quantum only, specify only the SLH-DSA key.
Real-World Use Cases
Example 1: Securing CI/CD Pipelines
Imagine you run a continuous integration pipeline that pushes code to GitHub repositories using SSH deploy keys. By generating a post-quantum key for your CI system, you ensure that even if quantum computers become viable in the next decade, your automated deployments remain secure. Update your CI configuration (e.g., GitHub Actions secrets, Jenkins credentials) with the new private key.
Example 2: Protecting High-Value Repositories
For repositories containing sensitive intellectual property, compliance requirements, or cryptographic secrets, using post-quantum SSH keys adds an extra layer of defense. It also demonstrates due diligence to auditors and stakeholders.
Example 3: Future-Proofing Personal Workflows
As an individual developer, you can regenerate your SSH keys today. The process is straightforward, and once set up, you don't need to think about it again. It's a small investment for long-term security.
Limitations and Caveats
- Library Support: Not all SSH libraries (e.g., in Python's
paramikoor Golang'scrypto/ssh) support SLH-DSA yet. Check your tooling before switching entirely. - Server Support: While GitHub supports it, other servers (e.g., self-hosted GitLab, corporate firewalls) may not. Verify compatibility with your infrastructure.
- Key Rotation: If you lose your private key, you cannot recover it—just like with any SSH key. Back it up securely.
The Future of Post-Quantum Cryptography in DevOps
GitHub's move is part of a broader industry trend. NIST standardized FIPS 205 (SLH-DSA) and FIPS 206 (ML-KEM) in 2024, and major tech companies are integrating post-quantum algorithms into their products. For example, Cloudflare and Google have experimented with post-quantum TLS. SSH is now catching up, and GitHub's implementation sets a precedent for other platforms.
As quantum computing advances, we can expect more services to adopt hybrid or fully post-quantum cryptographic schemes. Developers should start familiarizing themselves with these algorithms now, even if they don't deploy them immediately.
Conclusion
Post-quantum security for SSH access on GitHub is no longer a theoretical concept—it's a practical feature you can use today. By generating a SLH-DSA key and configuring your SSH client, you protect your connections against future quantum threats. While traditional keys remain safe for now, proactive adoption of post-quantum cryptography demonstrates a commitment to security best practices.
Start by updating your OpenSSH client, generate a new key, and add it to your GitHub account. The process takes less than ten minutes but provides peace of mind for years to come. As the cryptographic landscape evolves, staying ahead of the curve is the best defense.
For more insights on securing your development workflow, explore ASI Biont's resources on modern security practices.
Comments