diff --git a/go.mod b/go.mod
index 5c54a2d..d7f0dc8 100644
--- a/go.mod
+++ b/go.mod
@@ -7,3 +7,5 @@ require (
 	github.com/gopasspw/gopass v1.9.1
 	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
 )
+
+replace github.com/go-piv/piv-go => github.com/go-piv/piv-go v1.5.1-0.20200518213843-e6548dd11f02
diff --git a/go.sum b/go.sum
index b2eb04e..06d24fa 100644
--- a/go.sum
+++ b/go.sum
@@ -28,6 +28,8 @@ github.com/gdamore/tcell v1.3.0 h1:r35w0JBADPZCVQijYebl6YMWWtHRqVEGt7kL2eBADRM=
 github.com/gdamore/tcell v1.3.0/go.mod h1:Hjvr+Ofd+gLglo7RYKxxnzCBmev3BzsS67MebKS4zMM=
 github.com/go-piv/piv-go v1.5.0 h1:UtHPfrJsZKY+Z3UIjmJLh6DY+KtmNOl/9b/zt4N81pM=
 github.com/go-piv/piv-go v1.5.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
+github.com/go-piv/piv-go v1.5.1-0.20200518213843-e6548dd11f02 h1:gPojWOKTZxwWuNoQw/004S5U+/ECewLZAwJqZQocRYI=
+github.com/go-piv/piv-go v1.5.1-0.20200518213843-e6548dd11f02/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
 github.com/godbus/dbus v0.0.0-20190623212516-8a1682060722 h1:NNKZiuNXd6lpZRyoFM/uhssj5W9Ps1DbhGHxT49Pm9I=
 github.com/godbus/dbus v0.0.0-20190623212516-8a1682060722/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/gokyle/twofactor v1.0.1 h1:uRhvx0S4Hb82RPIDALnf7QxbmPL49LyyaCkJDpWx+Ek=
diff --git a/main.go b/main.go
index 717b7f0..b4486af 100644
--- a/main.go
+++ b/main.go
@@ -9,6 +9,7 @@ package main
 import (
 	"bytes"
 	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/rand"
 	"crypto/rsa"
 	"errors"
@@ -47,6 +48,7 @@ func main() {
 	}
 
 	socketPath := flag.String("l", "", "agent: path of the UNIX socket to listen on")
+	ed25519Flag := flag.Bool("ed25519", false, "setup: generate Ed25519 key")
 	resetFlag := flag.Bool("really-delete-all-piv-keys", false, "setup: reset the PIV applet")
 	setupFlag := flag.Bool("setup", false, "setup: configure a new YubiKey")
 	flag.Parse()
@@ -61,7 +63,7 @@ func main() {
 		if *resetFlag {
 			runReset(yk)
 		}
-		runSetup(yk)
+		runSetup(yk, *ed25519Flag)
 	} else {
 		if *socketPath == "" {
 			flag.Usage()
@@ -226,6 +228,7 @@ func getPublicKey(yk *piv.YubiKey, slot piv.Slot) (ssh.PublicKey, error) {
 	}
 	switch cert.PublicKey.(type) {
 	case *ecdsa.PublicKey:
+	case ed25519.PublicKey:
 	case *rsa.PublicKey:
 	default:
 		return nil, fmt.Errorf("unexpected public key type: %T", cert.PublicKey)
diff --git a/setup.go b/setup.go
index 7cba085..2b508fd 100644
--- a/setup.go
+++ b/setup.go
@@ -65,7 +65,7 @@ func runReset(yk *piv.YubiKey) {
 	}
 }
 
-func runSetup(yk *piv.YubiKey) {
+func runSetup(yk *piv.YubiKey, ed25519 bool) {
 	if _, err := yk.Certificate(piv.SlotAuthentication); err == nil {
 		log.Println("‼️  This YubiKey looks already setup")
 		log.Println("")
@@ -136,8 +136,13 @@ func runSetup(yk *piv.YubiKey) {
 		log.Fatalln("use --really-delete-all-piv-keys ⚠️")
 	}
 
+	alg := piv.AlgorithmEC256
+	if ed25519 {
+		// hack it in, this relies on the piv-go patch
+		alg = piv.AlgorithmEd25519
+	}
 	pub, err := yk.GenerateKey(key, piv.SlotAuthentication, piv.Key{
-		Algorithm:   piv.AlgorithmEC256,
+		Algorithm:   alg,
 		PINPolicy:   piv.PINPolicyOnce,
 		TouchPolicy: piv.TouchPolicyAlways,
 	})