Set up a Production-Ready Droplet

DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure.


When you first create a Droplet, we recommend configuring it for security and usability in a way that makes scaling and integration with other products simpler in the future. Our recommended setup for a Ubuntu 18.04 Droplet has the following:

  • Improved security: SSH key authentication for a sudo non-root user, no password-based access to root, and a cloud firewall to restrict access to SSH only.

  • Reliability and usability: Automatic backups to prevent data loss in emergencies, and networking features like VPC and IPv6 support with no manual configuration.

  • Capacity and scaling information: The DigitalOcean metrics agent to understand your resource usage and make more informed decisions on when and how to scale.

After you set up one Droplet with our recommended setup, configuring subsequent Droplets with the same setup only requires selecting options on the Droplet creation page.

You can use Droplets with this setup to host a website, scale out from a single Droplet to multiple Droplets with a load balancer, or add object storage to serve assets.

Before You Start

Choose whether you want to use the DigitalOcean Control Panel in a browser or doctl, the DigitalOcean command-line interface, from a terminal.

The control panel visually guides you through creation and configuration and lets you get started without setting up additional tools. doctl lets you work from the command line and enables faster setup with a scriptable interface.

If you don’t already have a DigitalOcean account, sign up now and log in to the control panel.

Step 1: Create and Upload SSH Keys

Our recommended setup uses SSH keys for authentication when logging into Droplets because password-based authentication is less secure. After you upload your SSH public key to your DigitalOcean account, you can add it automatically to any new Droplets you create, which avoids manually adding or configuring them.

How do I do this?

If you don’t have an SSH key pair, create one using OpenSSH, which is included on Linux, macOS, and Windows Subsystem for Linux:

ssh-keygen

Your key pair is saved in the location prompted, which by default is ~/.ssh/ on Linux and /Users/your_username/.ssh on Windows and macOS. Copy the contents of your public key, which is named id_rsa.pub by default. On macOS, you can copy the key directly to your clipboard by running the following command:

pbcopy < ~/.ssh/id_rsa.pub

The Windows and Linux versions of the command depend on your specific distribution, subsystem, or command-line shell.

In the left menu of the control panel, click Settings, then click the Security tab at the top of the page to go to the team security settings page. The SSH keys section lists any keys already added to the team.

The SSH Key section of the team security page with one key listed

Click Add SSH Key to open the New SSH key window.

Copy your public key into the Public Key field. Enter a name in the Key Name field, which you use identify this key in the DigitalOcean Control Panel. We recommend using the name of the machine you copied the public key from.

Get more detail on creating and uploading SSH keys.

The following articles have more detailed explanations of this step:

Use OpenSSH to create new SSH keys on MacOS, Linux, or Windows Subsystem for Linux.
Use PuTTY to create SSH keys on Windows systems without Bash.
Add public SSH keys to a DigitalOcean team to make it easier to add keys to Droplets during creation.

Step 2: Create and Configure the Droplet

Our recommended setup for Droplets includes enabling several features: VPC (private networking), IPv6, monitoring, and backups.

  • VPC creates a private network interface accessible only by resources within the same account or team. It’s free and increases security and decreases bandwidth costs for resources that communicate using it. Enabling it later requires manual network configuration and rebooting the Droplet.

  • IPv6 enables an additional 16 IP addresses for the Droplet. It’s free and enabling it later requires manual network configuration and rebooting the Droplet.

  • Monitoring is a metrics visualization service that adds additional graphs to the control panel (like CPU load, RAM usage, and disk usage) and the ability to set up alert policies. It’s free and enabling it from the start avoids manual setup and lets you understand your resource usage to make more informed decisions on when and how to scale.

  • Backups are automatic, system-level disk images of Droplets taken weekly or daily. Backups give you a way to revert a Droplet to an older state or recreate Droplets, protecting you against data loss. They add 20% to the monthly cost of the Droplet.

Our setup also uses user data, which is data that CloudInit consumes during the Droplet’s first boot to perform tasks or run scripts. The user data script in this tutorial implements two security measures:

  • Disables password-based login to the Droplet, making it accessible with SSH keys only.

  • Creates a sudo non-root user for day-to-day use. The root user has broad privileges that you don’t need for many tasks. Using a sudo non-root user decreases the risk of making destructive changes by accident and still lets you escalate privileges when necessary.

How do I do this?

From the control panel, click Create in the top right to open the create menu, then click Droplets to open the Droplet create page. Configure the new Droplet with the following options:

  1. In Choose an image, under the OS tab, choose the latest version of Ubuntu 18.04.

  2. In VPC Network, choose the default VPC.

  3. In the recommended and advanced options sections, check the boxes for IPv6 and monitoring.

  4. In the Advanced Options section, additionally check the box for user data. In the text box that opens, copy and paste the following cloud-config script. Customize the emphasized line to set the username.

    
        
            


#!/bin/bash
set -euo pipefail

USERNAME=sammy # TODO: Customize the sudo non-root username here

# Create user and immediately expire password to force a change on login
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
passwd --delete "${USERNAME}"
chage --lastday 0 "${USERNAME}"

# Create SSH directory for sudo user and move keys over
home_directory="$(eval echo ~${USERNAME})"
mkdir --parents "${home_directory}/.ssh"
cp /root/.ssh/authorized_keys "${home_directory}/.ssh"
chmod 0700 "${home_directory}/.ssh"
chmod 0600 "${home_directory}/.ssh/authorized_keys"
chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh"

# Disable root SSH login with password
sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
if sshd -t -q; then systemctl restart sshd; fi


        
    
  1. In Authentication, select SSH keys, and choose one or more keys. These keys give you access to the root user, and the user data script adds these keys to the sudo non-root user and disable password authentication.

  2. In Tags, create a tag that matches what you’re using the Droplet for, like webserver. You need to use this tag to apply cloud firewalls in the next step.

  3. In the recommended options section, check the box for Enable backups.

Once you’ve selected all of the options, click Create Droplet.

Get more detail on creating Droplets.

The following articles have more detailed explanations of this step:

Create Droplets and customize the image, plan, authentication method, and quantity of Droplets you want.

Step 3: Create a Cloud Firewall

Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. DigitalOcean Cloud Firewalls are a free, stateful firewall service for Droplets. They block all traffic that isn’t expressly permitted by a rule.

You can apply cloud firewalls to individual Droplets by name or to one or more Droplets by tag. Our setup uses tags. When you add a tag to a cloud firewall, any Droplets with that tag are automatically included in the firewall configuration, including new Droplets that you tag during creation.

To start, we recommend the following default firewall rules:

  • Restrict all inbound traffic except for SSH connections to the Droplet on port 22.

  • Allow all outbound traffic to any destination on any port. Many fundamental services rely on outbound communication, and these defaults make it easier to set up a new Droplet without introducing restrictions that could cause expected problems.

In the long term, we recommend organizing firewalls by role, so you can create custom firewalls for your specific use case.

How do I do this?

From the control panel, click Create Droplet in the top right to open the create menu, then click Cloud Firewalls to open the firewall create page. Configure the cloud firewall with the following options:

  1. In Name, enter inbound-ssh-only.

  2. In Inbound Rules, leave the single default rule for SSH.

The inbound rules section of the cloud firewall create page
  1. In Outbound Rules, keep the default rules, which permit all traffic to any destination on any port.
The outbound rules section of the cloud firewall create page
  1. In Apply to Droplets, add the tag you created with the new Droplet. When you create additional Droplets, adding the same tag to them automatically adds them to this cloud firewall as well, simplifying scaling in the future.

Once you’ve selected all of the options, click Create Firewall.

Get more detail on firewall creation and rules.

The following articles have more detailed explanations of this step:

Create a cloud firewall to restrict network traffic to and from specified Droplets.
Create, modify, or delete firewall rules to restrict Droplets’ inbound and outbound traffic based on ports, sources, and destinations.
Add Droplets to a firewall by name or by tag to apply the firewall’s rules.

Summary

After you set up one Droplet with our recommended setup, setting up future ones is simpler because you don’t need to repeat most of the steps. You only need to complete these steps once:

  • Creating an SSH key pair.
  • Uploading your public key to your DigitalOcean account.
  • Creating the cloud firewall.

To create additional Droplets with the same setup, the only step is choosing its configuration options on the Droplet creation page:

  1. Enable the same features (VPC, IPv6, monitoring, and backups).

  2. Choose your SSH key.

  3. Paste the cloud-config script in user data.

  4. Add the tag for the cloud firewall.

If you use doctl, the DigitalOcean command line interface, you can create a Droplet with all of these options in a single command:

doctl compute droplet create TODO-NAME --tag-names TODO-TAG-NAME \
    --image ubuntu-18-04-x64 --region nyc3 --size s-2vcpu-2gb \
    --ssh-keys TODO-KEY-FINGERPRINT --user-data-file TODO-PATH-TO-FILE \
    --enable-ipv6 --enable-monitoring --enable-private-networking --enable-backups

If you don’t already have a DigitalOcean account, sign up now.

Install doctl using the GitHub repository’s instructions, which recommends native package managers:

    
        
            
# On macOS:
brew install doctl

        
    
    
        
            
# On Snap-supported systems, like Ubuntu:
sudo snap install doctl
sudo snap connect doctl:ssh-keys :ssh-keys # Enable support for doctl compute ssh
sudo snap connect doctl:kube-config # Enable support for kubectl

        
    

Then, on the Applications & API page of the control panel, create a Personal access token for the DigitalOcean API with read and write access.

Give doctl access to your DigitalOcean account:

doctl auth init --context examplename

Enter the API token when prompted. Using --context identifies your account by naming the authentication context. You can list and switch between multiple authenticated accounts with doctl auth list and doctl auth switch, respectively.

Get more detail on doctl setup, personal access tokens, and doctl auth commands.

The following articles have more detailed explanations of this step:

Manage your DigitalOcean resources from the command line with doctl, our open-source command line interface (CLI).
Create a personal access token for use with the DigitalOcean API.
This command allows you to initialize doctl with a token that allows it to query and manage your account details and resources. The command requires and API token to authenticate, which you can generate in the control panel at https://cloud.digitalocean.com/account/api/tokens. The --context flag allows you to add authentication for multiple accounts and then switch between them as needed. Provide a case-sensitive name for the context and then enter the API token you want use for that context when prompted. You can switch authentication contexts using doctl auth switch, which re-initializes doctl. You can also provide the --context flag when using any doctl command to specify the auth context for that command. This enables you to use multiple DigitalOcean accounts with doctl, or tokens that have different authentication scopes. If the --context flag is not specified, doctl creates a default authentication context named default. You can use doctl without initializing it by adding the --access-token flag to each command and providing an API token as the argument.
List named authentication contexts that you created with doctl auth init. To switch between the contexts use doctl auth switch --context <name>, where <name> is one of the contexts listed. To create new contexts, see the help for doctl auth init.
This command allows you to switch between authentication contexts you’ve already created. To see a list of available authentication contexts, call doctl auth list. For details on creating an authentication context, see the help for doctl auth init.

Step 1: Create and Upload SSH Keys

Our recommended setup uses SSH keys for authentication when logging into Droplets because password-based authentication is less secure. After you upload your SSH public key to your DigitalOcean account, you can add it automatically to any new Droplets you create, which avoids manually adding or configuring them.

How do I do this?

If you don’t have an SSH key pair, create one using OpenSSH, which is included on Linux, macOS, and Windows Subsystem for Linux:

ssh-keygen

Your key pair is saved in the location prompted, which by default is ~/.ssh/ on Linux and /Users/your_username/.ssh on Windows and macOS. Copy the contents of your public key, which is named id_rsa.pub by default.

Use doctl compute ssh-key import to upload the key to your account. Specify the public key file and a name for the key.

doctl compute ssh-key import TODO-KEY-NAME --public-key-file ~/.ssh/id_rsa.pub

If you saved your SSH key to a location other than the default, use that path for --public-key-file.

Get more detail on creating SSH keys and doctl ssh-key commands.

The following articles have more detailed explanations of this step:

Use this command to add a new SSH key to your account, using a local public key file. Note that importing a key to your account will not add it to any Droplets
Use this command to add a new SSH key to your account. Specify a <key-name> for the key, and set the --public-key flag to a string with the contents of the key. Note that creating a key will not add it to any Droplets.
Use OpenSSH to create new SSH keys on MacOS, Linux, or Windows Subsystem for Linux.
Use PuTTY to create SSH keys on Windows systems without Bash.

Step 2: Create and Configure the Droplet

Our recommended setup for Droplets includes enabling several features: VPC (private networking), IPv6, monitoring, and backups.

  • VPC creates a private network interface accessible only by resources within the same account or team. It’s free and increases security and decreases bandwidth costs for resources that communicate using it. Enabling it later requires manual network configuration and rebooting the Droplet.

  • IPv6 enables an additional 16 IP addresses for the Droplet. It’s free and enabling it later requires manual network configuration and rebooting the Droplet.

  • Monitoring is a metrics visualization service that adds additional graphs to the control panel (like CPU load, RAM usage, and disk usage) and the ability to set up alert policies. It’s free and enabling it from the start avoids manual setup and lets you understand your resource usage to make more informed decisions on when and how to scale.

  • Backups are automatic, system-level disk images of Droplets taken weekly or daily. Backups give you a way to revert a Droplet to an older state or recreate Droplets, protecting you against data loss. They add 20% to the monthly cost of the Droplet.

Our setup also uses user data, which is data that CloudInit consumes during the Droplet’s first boot to perform tasks or run scripts. The user data script in this tutorial implements two security measures:

  • Disables password-based login to the Droplet, making it accessible with SSH keys only.

  • Creates a sudo non-root user for day-to-day use. The root user has broad privileges that you don’t need for many tasks. Using a sudo non-root user decreases the risk of making destructive changes by accident and still lets you escalate privileges when necessary.

How do I do this?

First, save the cloud-config script locally:

    
        
            


#!/bin/bash
set -euo pipefail

USERNAME=sammy # TODO: Customize the sudo non-root username here

# Create user and immediately expire password to force a change on login
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
passwd --delete "${USERNAME}"
chage --lastday 0 "${USERNAME}"

# Create SSH directory for sudo user and move keys over
home_directory="$(eval echo ~${USERNAME})"
mkdir --parents "${home_directory}/.ssh"
cp /root/.ssh/authorized_keys "${home_directory}/.ssh"
chmod 0700 "${home_directory}/.ssh"
chmod 0600 "${home_directory}/.ssh/authorized_keys"
chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh"

# Disable root SSH login with password
sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
if sshd -t -q; then systemctl restart sshd; fi


        
    

You can customize the username of the sudo non-root user on the emphasized line.

Next, use doctl compute droplet create to create the Droplet.

doctl compute droplet create TODO-NAME --tag-names TODO-TAG-NAME \
    --image ubuntu-18-04-x64 --region nyc3 --size s-2vcpu-2gb \
    --ssh-keys TODO-KEY-FINGERPRINT --user-data-file TODO-PATH-TO-FILE \
    --enable-ipv6 --enable-monitoring --enable-private-networking --enable-backups

Replace the TODO- values with your values. Choose a name for the Droplet and create a tag that matches what you’re using the Droplet for, like webserver. You need to use this tag to apply cloud firewalls in the next step. Specify the fingerprint of the SSH key you want to use and the relative path to the saved user data file. You can customize the given datacenter region and Droplet size.

Get more detail on Droplet metadata and the doctl create command.

The following articles have more detailed explanations of this step:

Use the Droplet metadata service to programmatically query a Droplet for information about itself.
Creates a new Droplet on your account. The command requires values for the --size, and --image flags. To retrieve a list of size slugs, use the doctl compute size list command. To retrieve a list of image slugs, use the doctl compute image list command. If you do not specify a region, the Droplet is created in the default region for your account. If you do not specify any SSH keys, we email a temporary password to your account’s email address.

Step 3: Create a Cloud Firewall

Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. DigitalOcean Cloud Firewalls are a free, stateful firewall service for Droplets. They block all traffic that isn’t expressly permitted by a rule.

You can apply cloud firewalls to individual Droplets by name or to one or more Droplets by tag. Our setup uses tags. When you add a tag to a cloud firewall, any Droplets with that tag are automatically included in the firewall configuration, including new Droplets that you tag during creation.

To start, we recommend the following default firewall rules:

  • Restrict all inbound traffic except for SSH connections to the Droplet on port 22.

  • Allow all outbound traffic to any destination on any port. Many fundamental services rely on outbound communication, and these defaults make it easier to set up a new Droplet without introducing restrictions that could cause expected problems.

In the long term, we recommend organizing firewalls by role, so you can create custom firewalls for your specific use case.

How do I do this?

Create a firewall named inbound-ssh-only, specifying the tag you used for the new Droplet:

    
        
            
doctl compute firewall create --name "inbound-ssh-only" \
    --tag-names TODO-TAG-NAME \
    --inbound-rules "protocol:tcp,ports:22,address:0.0.0.0/0" \
    --outbound-rules "protocol:icmp,address:0.0.0.0/0,address:::/0 protocol:tcp,ports:all,address:0.0.0.0/0,address:::/0 protocol:udp,ports:all,address:0.0.0.0/0,address:::/0"

        
    
Get more detail on doctl compute firewall create.

The following articles have more detailed explanations of this step:

Creates a cloud firewall. This command must contain at least one inbound or outbound access rule.

Summary

After you set up one Droplet with our recommended setup, setting up future ones is simpler because you don’t need to repeat most of the steps.

You only need to complete these steps once:

  • Creating an SSH key pair
  • Uploading your public key to your DigitalOcean account
  • Creating the cloud firewall

To create additional Droplets with the same setup, the only step is choosing its configuration options:

  1. Enable the same features (private networking, IPv6, monitoring, and backups).

  2. Choose your SSH key.

  3. Paste the cloud-config script in user data.

  4. Add the tag for the cloud firewall.

doctl compute droplet create TODO-NAME --tag-names TODO-TAG-NAME \
    --image ubuntu-18-04-x64 --region nyc3 --size s-2vcpu-2gb \
    --ssh-keys TODO-KEY-FINGERPRINT --user-data-file TODO-PATH-TO-FILE \
    --enable-ipv6 --enable-monitoring --enable-private-networking --enable-backups

What’s Next?

After this initial setup, you can use your Droplet to host a website, scale out from a single Droplet to multiple Droplets with a load balancer, or add object storage to serve assets.