DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure.
When you first create a Droplet, we recommend configuring it for security and usability in a way that makes scaling and integration with other products simpler in the future. Our recommended setup for a Ubuntu 18.04 Droplet has the following:
Improved security: SSH key authentication for a sudo non-root
user, no password-based access to root
, and a cloud firewall to restrict access to SSH only.
Reliability and usability: Automatic backups to prevent data loss in emergencies, and networking features like VPC and IPv6 support with no manual configuration.
Capacity and scaling information: The DigitalOcean metrics agent to understand your resource usage and make more informed decisions on when and how to scale.
After you set up one Droplet with our recommended setup, configuring subsequent Droplets with the same setup only requires selecting options on the Droplet creation page.
You can use Droplets with this setup to host a website, scale out from a single Droplet to multiple Droplets with a load balancer, or add object storage to serve assets.
Choose whether you want to use the DigitalOcean Control Panel in a browser or doctl
, the DigitalOcean command-line interface, from a terminal.
The control panel visually guides you through creation and configuration and lets you get started without setting up additional tools. doctl
lets you work from the command line and enables faster setup with a scriptable interface.
If you don’t already have a DigitalOcean account, sign up now and log in to the control panel.
Our recommended setup uses SSH keys for authentication when logging into Droplets because password-based authentication is less secure. After you upload your SSH public key to your DigitalOcean account, you can add it automatically to any new Droplets you create, which avoids manually adding or configuring them.
If you don’t have an SSH key pair, create one using OpenSSH, which is included on Linux, macOS, and Windows Subsystem for Linux:
ssh-keygen
Your key pair is saved in the location prompted, which by default is ~/.ssh/
on Linux and /Users/your_username/.ssh
on Windows and macOS. Copy the contents of your public key, which is named id_rsa.pub
by default. On macOS, you can copy the key directly to your clipboard by running the following command:
pbcopy < ~/.ssh/id_rsa.pub
The Windows and Linux versions of the command depend on your specific distribution, subsystem, or command-line shell.
In the left menu of the control panel, click Settings, then click the Security tab at the top of the page to go to the team security settings page. The SSH keys section lists any keys already added to the team.
Click Add SSH Key to open the New SSH key window.
Copy your public key into the Public Key field. Enter a name in the Key Name field, which you use identify this key in the DigitalOcean Control Panel. We recommend using the name of the machine you copied the public key from.
Our recommended setup for Droplets includes enabling several features: VPC (private networking), IPv6, monitoring, and backups.
VPC creates a private network interface accessible only by resources within the same account or team. It’s free and increases security and decreases bandwidth costs for resources that communicate using it. Enabling it later requires manual network configuration and rebooting the Droplet.
IPv6 enables an additional 16 IP addresses for the Droplet. It’s free and enabling it later requires manual network configuration and rebooting the Droplet.
Monitoring is a metrics visualization service that adds additional graphs to the control panel (like CPU load, RAM usage, and disk usage) and the ability to set up alert policies. It’s free and enabling it from the start avoids manual setup and lets you understand your resource usage to make more informed decisions on when and how to scale.
Backups are automatic, system-level disk images of Droplets taken weekly or daily. Backups give you a way to revert a Droplet to an older state or recreate Droplets, protecting you against data loss. They add 20% to the monthly cost of the Droplet.
Our setup also uses user data, which is data that CloudInit consumes during the Droplet’s first boot to perform tasks or run scripts. The user data script in this tutorial implements two security measures:
Disables password-based login to the Droplet, making it accessible with SSH keys only.
Creates a sudo non-root user for day-to-day use. The root user has broad privileges that you don’t need for many tasks. Using a sudo non-root user decreases the risk of making destructive changes by accident and still lets you escalate privileges when necessary.
From the control panel, click Create in the top right to open the create menu, then click Droplets to open the Droplet create page. Configure the new Droplet with the following options:
In Choose an image, under the OS tab, choose the latest version of Ubuntu 18.04.
In VPC Network, choose the default VPC.
In the recommended and advanced options sections, check the boxes for IPv6 and monitoring.
In the Advanced Options section, additionally check the box for user data. In the text box that opens, copy and paste the following cloud-config
script. Customize the emphasized line to set the username.
#!/bin/bash
set -euo pipefail
USERNAME=sammy # TODO: Customize the sudo non-root username here
# Create user and immediately expire password to force a change on login
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
passwd --delete "${USERNAME}"
chage --lastday 0 "${USERNAME}"
# Create SSH directory for sudo user and move keys over
home_directory="$(eval echo ~${USERNAME})"
mkdir --parents "${home_directory}/.ssh"
cp /root/.ssh/authorized_keys "${home_directory}/.ssh"
chmod 0700 "${home_directory}/.ssh"
chmod 0600 "${home_directory}/.ssh/authorized_keys"
chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh"
# Disable root SSH login with password
sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
if sshd -t -q; then systemctl restart sshd; fi
In Authentication, select SSH keys, and choose one or more keys. These keys give you access to the root user, and the user data script adds these keys to the sudo non-root user and disable password authentication.
In Tags, create a tag that matches what you’re using the Droplet for, like webserver
. You need to use this tag to apply cloud firewalls in the next step.
In the recommended options section, check the box for Enable backups.
Once you’ve selected all of the options, click Create Droplet.
Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. DigitalOcean Cloud Firewalls are a free, stateful firewall service for Droplets. They block all traffic that isn’t expressly permitted by a rule.
You can apply cloud firewalls to individual Droplets by name or to one or more Droplets by tag. Our setup uses tags. When you add a tag to a cloud firewall, any Droplets with that tag are automatically included in the firewall configuration, including new Droplets that you tag during creation.
To start, we recommend the following default firewall rules:
Restrict all inbound traffic except for SSH connections to the Droplet on port 22.
Allow all outbound traffic to any destination on any port. Many fundamental services rely on outbound communication, and these defaults make it easier to set up a new Droplet without introducing restrictions that could cause expected problems.
In the long term, we recommend organizing firewalls by role, so you can create custom firewalls for your specific use case.
From the control panel, click Create Droplet in the top right to open the create menu, then click Cloud Firewalls to open the firewall create page. Configure the cloud firewall with the following options:
In Name, enter inbound-ssh-only
.
In Inbound Rules, leave the single default rule for SSH.
Once you’ve selected all of the options, click Create Firewall.
After you set up one Droplet with our recommended setup, setting up future ones is simpler because you don’t need to repeat most of the steps. You only need to complete these steps once:
To create additional Droplets with the same setup, the only step is choosing its configuration options on the Droplet creation page:
Enable the same features (VPC, IPv6, monitoring, and backups).
Choose your SSH key.
Paste the cloud-config
script in user data.
Add the tag for the cloud firewall.
If you use doctl
, the DigitalOcean command line interface, you can create a Droplet with all of these options in a single command:
doctl compute droplet create TODO-NAME --tag-names TODO-TAG-NAME \
--image ubuntu-18-04-x64 --region nyc3 --size s-2vcpu-2gb \
--ssh-keys TODO-KEY-FINGERPRINT --user-data-file TODO-PATH-TO-FILE \
--enable-ipv6 --enable-monitoring --enable-private-networking --enable-backups
If you don’t already have a DigitalOcean account, sign up now.
Install doctl
using the GitHub repository’s instructions, which recommends native package managers:
# On macOS:
brew install doctl
# On Snap-supported systems, like Ubuntu:
sudo snap install doctl
sudo snap connect doctl:ssh-keys :ssh-keys # Enable support for doctl compute ssh
sudo snap connect doctl:kube-config # Enable support for kubectl
Then, on the Applications & API page of the control panel, create a Personal access token for the DigitalOcean API with read and write access.
Give doctl
access to your DigitalOcean account:
doctl auth init --context examplename
Enter the API token when prompted. Using --context
identifies your account by naming the authentication context. You can list and switch between multiple authenticated accounts with doctl auth list
and doctl auth switch
, respectively.
Our recommended setup uses SSH keys for authentication when logging into Droplets because password-based authentication is less secure. After you upload your SSH public key to your DigitalOcean account, you can add it automatically to any new Droplets you create, which avoids manually adding or configuring them.
If you don’t have an SSH key pair, create one using OpenSSH, which is included on Linux, macOS, and Windows Subsystem for Linux:
ssh-keygen
Your key pair is saved in the location prompted, which by default is ~/.ssh/
on Linux and /Users/your_username/.ssh
on Windows and macOS. Copy the contents of your public key, which is named id_rsa.pub
by default.
Use doctl compute ssh-key import
to upload the key to your account. Specify the public key file and a name for the key.
doctl compute ssh-key import TODO-KEY-NAME --public-key-file ~/.ssh/id_rsa.pub
If you saved your SSH key to a location other than the default, use that path for --public-key-file
.
Our recommended setup for Droplets includes enabling several features: VPC (private networking), IPv6, monitoring, and backups.
VPC creates a private network interface accessible only by resources within the same account or team. It’s free and increases security and decreases bandwidth costs for resources that communicate using it. Enabling it later requires manual network configuration and rebooting the Droplet.
IPv6 enables an additional 16 IP addresses for the Droplet. It’s free and enabling it later requires manual network configuration and rebooting the Droplet.
Monitoring is a metrics visualization service that adds additional graphs to the control panel (like CPU load, RAM usage, and disk usage) and the ability to set up alert policies. It’s free and enabling it from the start avoids manual setup and lets you understand your resource usage to make more informed decisions on when and how to scale.
Backups are automatic, system-level disk images of Droplets taken weekly or daily. Backups give you a way to revert a Droplet to an older state or recreate Droplets, protecting you against data loss. They add 20% to the monthly cost of the Droplet.
Our setup also uses user data, which is data that CloudInit consumes during the Droplet’s first boot to perform tasks or run scripts. The user data script in this tutorial implements two security measures:
Disables password-based login to the Droplet, making it accessible with SSH keys only.
Creates a sudo non-root user for day-to-day use. The root user has broad privileges that you don’t need for many tasks. Using a sudo non-root user decreases the risk of making destructive changes by accident and still lets you escalate privileges when necessary.
First, save the cloud-config
script locally:
#!/bin/bash
set -euo pipefail
USERNAME=sammy # TODO: Customize the sudo non-root username here
# Create user and immediately expire password to force a change on login
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
passwd --delete "${USERNAME}"
chage --lastday 0 "${USERNAME}"
# Create SSH directory for sudo user and move keys over
home_directory="$(eval echo ~${USERNAME})"
mkdir --parents "${home_directory}/.ssh"
cp /root/.ssh/authorized_keys "${home_directory}/.ssh"
chmod 0700 "${home_directory}/.ssh"
chmod 0600 "${home_directory}/.ssh/authorized_keys"
chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh"
# Disable root SSH login with password
sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
if sshd -t -q; then systemctl restart sshd; fi
You can customize the username of the sudo non-root user on the emphasized line.
Next, use doctl compute droplet create
to create the Droplet.
doctl compute droplet create TODO-NAME --tag-names TODO-TAG-NAME \
--image ubuntu-18-04-x64 --region nyc3 --size s-2vcpu-2gb \
--ssh-keys TODO-KEY-FINGERPRINT --user-data-file TODO-PATH-TO-FILE \
--enable-ipv6 --enable-monitoring --enable-private-networking --enable-backups
Replace the TODO-
values with your values. Choose a name for the Droplet and create a tag that matches what you’re using the Droplet for, like webserver
. You need to use this tag to apply cloud firewalls in the next step. Specify the fingerprint of the SSH key you want to use and the relative path to the saved user data file. You can customize the given datacenter region and Droplet size.
Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. DigitalOcean Cloud Firewalls are a free, stateful firewall service for Droplets. They block all traffic that isn’t expressly permitted by a rule.
You can apply cloud firewalls to individual Droplets by name or to one or more Droplets by tag. Our setup uses tags. When you add a tag to a cloud firewall, any Droplets with that tag are automatically included in the firewall configuration, including new Droplets that you tag during creation.
To start, we recommend the following default firewall rules:
Restrict all inbound traffic except for SSH connections to the Droplet on port 22.
Allow all outbound traffic to any destination on any port. Many fundamental services rely on outbound communication, and these defaults make it easier to set up a new Droplet without introducing restrictions that could cause expected problems.
In the long term, we recommend organizing firewalls by role, so you can create custom firewalls for your specific use case.
Create a firewall named inbound-ssh-only
, specifying the tag you used for the new Droplet:
doctl compute firewall create --name "inbound-ssh-only" \
--tag-names TODO-TAG-NAME \
--inbound-rules "protocol:tcp,ports:22,address:0.0.0.0/0" \
--outbound-rules "protocol:icmp,address:0.0.0.0/0,address:::/0 protocol:tcp,ports:all,address:0.0.0.0/0,address:::/0 protocol:udp,ports:all,address:0.0.0.0/0,address:::/0"
After you set up one Droplet with our recommended setup, setting up future ones is simpler because you don’t need to repeat most of the steps.
You only need to complete these steps once:
To create additional Droplets with the same setup, the only step is choosing its configuration options:
Enable the same features (private networking, IPv6, monitoring, and backups).
Choose your SSH key.
Paste the cloud-config
script in user data.
Add the tag for the cloud firewall.
doctl compute droplet create TODO-NAME --tag-names TODO-TAG-NAME \
--image ubuntu-18-04-x64 --region nyc3 --size s-2vcpu-2gb \
--ssh-keys TODO-KEY-FINGERPRINT --user-data-file TODO-PATH-TO-FILE \
--enable-ipv6 --enable-monitoring --enable-private-networking --enable-backups
After this initial setup, you can use your Droplet to host a website, scale out from a single Droplet to multiple Droplets with a load balancer, or add object storage to serve assets.