How to setup SSH Keys for DigitalOcean

31st December 2019 By Simon Bennett

The only save way to connect to your DigitalOcean server or any server is via public key authentication, OpenSSH is the standard tools used and OpenSSH server comes as standard on all provided DigitalOcean operating Systems. Password based authentication is vulnerable to brute force attack, where SSH key pairs are nearly impossible to decipher (I say nearly as weaker keys are still susceptible to attack)

Step One—Create the RSA Key Pair

The first step is to create the key pair on your local machine (if your on windows you are going to have to research now to generate a key):

ssh-keygen -t rsa

Step Two—Store the Keys and Passphrase

Once you have entered the keygen command, you will get questioned:

Enter file in which to save the key (/home/simon/.ssh/id_rsa):

You can press enter , which saves the file to the default location, in your home directory.

Enter passphrase (empty for no passphrase):

I strongly recommend you enter a passphrase, even though it is optional. It protects the key if it falls into the wrong hands been any use. You need the passphrase to unlock the key, on a mac you can save the passphrase into the keychain and need never type it again.

The public key is now located in /home/username/.ssh/id_rsa.pub. The private key (identification) is now located in /home/username/.ssh/id_rsa.

Step Three—Copy the Public Key

Once the key pair is generated, you can start to use it, you can update existing servers or tell DigitalOcean to provision new servers with they key

Alternatively, you can paste in the keys using SSH:

cat ~/.ssh/id_rsa.pub

(make sure you copy the .pub file and not the raw key, thats private and if exposed should be cycled out of use)

Step Four - Install Key on Existing Servers

Once logged in to an existing server you can add the key to a authorized_keys

Check the .ssh directory exists for the user you wish to login for and the permissions are correct.

Then you can nano the file and paste in your key from step 3

nano ~/.ssh/authorized_keys

Step Five - Provision New Servers with Keys

The best way to use your key is when you provision a new server, set the key as creation.

Server Creation Choose Key

Server Creation Choose Key

You can choose as many keys as you would like when setting up the server, for example each team member, who have there own keys. If your key is not on the list just click the New SSH Key button

Digitalocean import new SSH key

Digitalocean import new SSH key

When selecting a SSH key to login, you will not get a password emailed to you.

Step Six - Login

Logging in to the server is now simple. From your machines ssh client (terminal) type the ssh command. Ubuntu uses root@ to login, coreos uses core@ so just check the image as to which user to use. Or if you have setup a new user, use that username

ssh root@serverip



Simon Bennett Avatar
Simon Bennett

Simon Bennett, the founder and creator of SnapShooter, fascinated with DigitalOcean been one of the first customers to come on board when SSD where introduced and the first Amsterdam datacenter opened in 2013.

In 2017 he started SnapShooter, becoming the first dedicated tool for improving DigitalOcean backups with more frequent backups. You can always contact him at simon(at)snapshooter.io