# How to Upload an SSH Public Key to an Existing Droplet

DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure.

**Note**: If you’re struggling with SSH and server management, try our managed products: [Cloudways](https://docs.digitalocean.com/products/cloudways/index.html.md) deploys pre-installed software stacks onto Droplets, and [App Platform](https://docs.digitalocean.com/products/app-platform/index.html.md) deploys and scales apps directly from your code repository, along with databases and serverless functions.

For security reasons, you can’t add or modify the SSH keys on your Droplet using the control panel after you create it, but you have several options to add and modify them via the command line. If you currently have SSH access to the Droplet, you can upload keys in multiple ways:

- [**From your local computer using `ssh-copy-id`**](#with-ssh-copy-id) , which is included in many Linux distributions’ OpenSSH packages. We recommend this option if it is available for ease of use.
- [**From your local computer by piping the key**](#with-ssh) into the `~/.ssh/authorized_keys` file on the Droplet. This is a good choice if you don’t have `ssh-copy-id`.
- [**By connecting to your Droplet with SSH and manually adding the public key**](#manually), which is necessary if you do not have password-based SSH access.

If you currently can’t connect to your Droplet at all, [use the Recovery Console to reset the root user password](https://docs.digitalocean.com/products/droplets/how-to/recovery/recovery-console/index.html.md). Once logged in on the console, you can either [add your key manually from the console](#manually) or [temporarily enable password authentication](https://docs.digitalocean.com/support/i-lost-the-ssh-key-for-my-droplet/index.html.md#enable-password-authentication) to add the key [via SSH](#with-ssh-copy-id).

## Locally Using ssh-copy-id and Password-Based Access

If you have password-based access to your Droplet, you can copy your SSH key from your local computer to your Droplet using `ssh-copy-id`.

On your local computer, run `ssh-copy-id`, substituting your username and your Droplet’s IP address:

```bash
ssh-copy-id use_your_username@203.0.113.0
```

By default, `ssh-copy-id` copies the default key, `~/.ssh/id_ed25519.pub`, to the target server. To specify a different key, use the `-i` flag, as in `ssh-copy-id -i ~/path/to/key.pub use_your_username@203.0.113.0`.

Running `ssh-copy-id` prompts you for the user’s password on the Droplet:

```text
The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.0's password:
```

After you enter the password, it confirms the addition of the key:

```
Number of key(s) added: 1

Now try logging in to the machine, with:   "ssh 'username@203.0.113.0'"
and check to make sure that only the key(s) you wanted were added.
```

You can now log in without a password.

## Locally by Piping into ssh with Password-Based Access

If you do not have `ssh-copy-id` on your local computer but you do have password-based SSH access to your Droplet, you can add an SSH key to your Droplet by [piping](https://www.digitalocean.com/community/tutorials/an-introduction-to-linux-i-o-redirection#pipes) the contents of the key into the `ssh` command.

The following command makes sure the `~/.ssh` directory exists on your Droplet, then pipes the content of the `~/.ssh/id_ed25519.pub` file on your local computer to the `~/.ssh/authorized_keys` file on your Droplet.

Run this command on your local computer, substituting your username and the Droplet’s IP address:

```bash
cat ~/.ssh/id_ed25519.pub | ssh username@203.0.113.0 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
```

Running this command prompts you for the user’s password on the Droplet:

```text
The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
username@203.0.113.0's password:
```

After you enter the password, it copies your key, and you can log in without a password.

## Manually from the Droplet

If you do not have password-based SSH access available, you must add your public key to the remote server manually.

On your local machine, output the contents of your public key.

```shell
cat ~/.ssh/id_ed25519.pub
```

Copy the output, which looks similar to this example:

```
ssh-ed25519 EXAMPLEzaC1lZDI1NTE5AAAAIGKy65/WWrFKeWdpJKJAuLqev9bb9ZNofcMrR/OnC9BM username@203.0.113.0
```

Next, [connect to your Droplet with SSH](https://docs.digitalocean.com/products/droplets/how-to/connect-with-ssh/index.html.md).

**Note**: If you can’t connect to your Droplet, you can [use the Recovery Console to recover access](https://docs.digitalocean.com/products/droplets/how-to/recovery/recovery-console/index.html.md) by resetting your Droplet’s root password, and then [use `ssh` to add your keys](#with-ssh).

On your Droplet, create the `~/.ssh` directory if it does not already exist:

```shell
mkdir -p ~/.ssh
```

The public keys listed in `~/.ssh/authorized_keys` are the ones that you can use to log in to the server as this user, so you need to add the public key you copied into this file.

To do so, run the following command on your Droplet, replacing the example key in quotes (`ssh-ed25519 EXAMPLEzaC1yc2E...GvaQ== username@203.0.113.0`) with the key you copied:

```shell
echo "ssh-ed25519 EXAMPLEzaC1yc2E...GvaQ== username@203.0.113.0" >> ~/.ssh/authorized_keys
```

Alternatively, you can open the `~/.ssh/authorized_keys` file with [a terminal-based text editor, like `nano`](https://www.digitalocean.com/community/tutorials/basic-linux-navigation-and-file-management#editing-files), and paste the contents of the key into the file that way.

The `~/.ssh` directory and `authorized_keys` file must have specific restricted [permissions](https://www.digitalocean.com/community/tutorials/an-introduction-to-linux-permissions) (`700` for `~/.ssh` and `600` for `authorized_keys`). If they don’t, you cannot log in.

Once the `authorized_keys` file contains the public key, set the permissions and ownership of the files:

```shell
chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh
```

You can now log out of your Droplet. The next time you log in, you can do so without a password.