DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure.
For security reasons, you can’t add or modify the SSH keys on your Droplet using the control panel after you create it, but you have several options to add and modify them via the command line. If you currently have SSH access to the Droplet, you can upload keys in multiple ways:
From your local computer using ssh-copy-id
, which is included in many Linux distributions’ OpenSSH packages. We recommend this option if it is available for ease of use.
From your local computer by piping the key into the ~/.ssh/authorized_keys
file on the Droplet. This is a good choice if you don’t have ssh-copy-id
.
By connecting to your Droplet with SSH and manually adding the public key, which is necessary if you do not have password-based SSH access.
If you currently can’t connect to your Droplet at all, use the Recovery Console to reset the root user password. Once logged in on the console, you can either add your key manually from the console or temporarily enable password authentication to add the key via SSH.
If you have password-based access to your Droplet, you can copy your SSH key from your local computer to your Droplet using ssh-copy-id
.
On your local computer, run ssh-copy-id
, substituting your username and your Droplet’s IP address:
ssh-copy-id [email protected]
By default, ssh-copy-id
copies the default key, ~/.ssh/id_rsa.pub
, to the target server. To specify a different key, use the -i
flag, as in ssh-copy-id -i ~/path/to/key.pub [email protected]
.
Running ssh-copy-id
prompts you for the user’s password on the Droplet:
The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
After you enter the password, it confirms the addition of the key:
Number of key(s) added: 1
Now try logging in to the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
You can now log in without a password.
If you do not have ssh-copy-id
on your local computer but you do have password-based SSH access to your Droplet, you can add an SSH key to your Droplet by piping the contents of the key into the ssh
command.
The following command makes sure the ~/.ssh
directory exists on your Droplet, then pipes the content of the ~/.ssh/id_rsa.pub
file on your local computer to the ~/.ssh/authorized_keys
file on your Droplet.
Run this command on your local computer, substituting your username and the Droplet’s IP address:
cat ~/.ssh/id_rsa.pub | ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Running this command prompts you for the user’s password on the Droplet:
The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
[email protected]'s password:
After you enter the password, it copies your key, and you can log in without a password.
If you do not have password-based SSH access available, you must add your public key to the remote server manually.
On your local machine, output the contents of your public key.
cat ~/.ssh/id_rsa.pub
Copy the output, which looks similar to this example:
ssh-rsa EXAMPLEzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== [email protected]
Next, connect to your Droplet with SSH.
ssh
to add your keys.On your Droplet, create the ~/.ssh
directory if it does not already exist:
mkdir -p ~/.ssh
The public keys listed in ~/.ssh/authorized_keys
are the ones that you can use to log in to the server as this user, so you need to add the public key you copied into this file.
To do so, run the following command on your Droplet, replacing the example key in quotes (ssh-rsa EXAMPLEzaC1yc2E...GvaQ== [email protected]
) with the key you copied:
echo "ssh-rsa EXAMPLEzaC1yc2E...GvaQ== [email protected]" >> ~/.ssh/authorized_keys
Alternatively, you can open the ~/.ssh/authorized_keys
file with a terminal-based text editor, like nano
, and paste the contents of the key into the file that way.
The ~/.ssh
directory and authorized_keys
file must have specific restricted permissions (700
for ~/.ssh
and 600
for authorized_keys
). If they don’t, you cannot log in.
Once the authorized_keys
file contains the public key, set the permissions and ownership of the files:
chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh
You can now log out of your Droplet. The next time you log in, you can do so without a password.