How to setup SSH Keys for DigitalOcean

Simon Bennett
Simon Bennett · Dec 31, 2019

The only safe way to connect to your DigitalOcean server or any server is via public key authentication, OpenSSH is the standard tool used and OpenSSH server comes as standard on all provided DigitalOcean Operating Systems. Password-based authentication is vulnerable to brute force attack, where SSH key pairs are nearly impossible to decipher (I say nearly as weaker keys are still susceptible to attack)

Step One—Create the RSA Key Pair

The first step is to create the key pair on your local machine (if your on windows you are going to have to research now to generate a key):

ssh-keygen -t rsa

Step Two—Store the Keys and Passphrase

Once you have entered the keygen command, you will get questioned:

Enter file in which to save the key (/home/simon/.ssh/id_rsa):

You can press enter, which saves the file to the default location, in your home directory.

Enter passphrase (empty for no passphrase):

I strongly recommend you enter a passphrase, even though it is optional. It protects the key if it falls into the wrong hands been any use. You need the passphrase to unlock the key, on a mac you can save the passphrase into the keychain and need never type it again.

The public key is now located in /home/username/.ssh/id_rsa.pub. The private key (identification) is now located in /home/username/.ssh/id_rsa.

Step Three—Copy the Public Key

Once the key pair is generated, you can start to use it, you can update existing servers or tell DigitalOcean to provision new servers with the key

Alternatively, you can paste in the keys using SSH:

cat ~/.ssh/id_rsa.pub

(make sure you copy the .pub file and not the raw key, that's private and if exposed should be cycled out of use)

Step Four - Install Key on Existing Servers

Once logged in to an existing server you can add the key to an authorized_keys

Check the .ssh directory exists for the user you wish to log in for and that the permissions are correct.

Then you can nano the file and paste in your key from step 3

nano ~/.ssh/authorized_keys

Step Five - Provision New Servers with Keys

The best way to use your key is when you provision a new server and set the key as creation.

Server Creation Choose Key

You can choose as many keys as you would like when setting up the server, for example, each team member, who has their own keys. If your key is not on the list just click the New SSH Key button

Digitalocean imports new SSH key

When selecting an SSH key to log in, you will not get a password emailed to you.

Step Six - Login

Logging in to the server is now simple. From your machine's ssh client (terminal) type the ssh command. Ubuntu uses root@ to log in, and coreos uses core@ so just check the image as to which user to use. Or if you have set up a new user, use that username

ssh root@serverip

Add Key to Existing Droplet?

This is a little more complex, you will need to boot the server in recovery mode, log in via the recovery console, mount the file system and then navigate your way to the authroized_keys file, add your key, and reboot out of recovery mode.