How to Upload an SSH Public Key to an Existing Droplet
DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure.
Note
For security reasons, you can’t add or modify the SSH keys on your Droplet using the control panel after you create it, but you have several options to add and modify them via the command line. If you currently have SSH access to the Droplet, you can upload keys in multiple ways:
-
From your local computer using
ssh-copy-id, which is included in many Linux distributions’ OpenSSH packages. We recommend this option if it is available for ease of use. -
From your local computer by piping the key into the
~/.ssh/authorized_keysfile on the Droplet. This is a good choice if you don’t havessh-copy-id. -
By connecting to your Droplet with SSH and manually adding the public key, which is necessary if you do not have password-based SSH access.
If you currently can’t connect to your Droplet at all, use the Recovery Console to reset the root user password. Once logged in on the console, you can either add your key manually from the console or temporarily enable password authentication to add the key via SSH.
Locally Using ssh-copy-id and Password-Based Access
If you have password-based access to your Droplet, you can copy your SSH key from your local computer to your Droplet using ssh-copy-id.
On your local computer, run ssh-copy-id, substituting your username and your Droplet’s IP address:
ssh-copy-id use_your_username@203.0.113.0
By default, ssh-copy-id copies the default key, ~/.ssh/id_rsa.pub, to the target server. To specify a different key, use the -i flag, as in ssh-copy-id -i ~/path/to/key.pub use_your_username@203.0.113.0.
Running ssh-copy-id prompts you for the user’s password on the Droplet:
The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.0's password:
After you enter the password, it confirms the addition of the key:
Number of key(s) added: 1
Now try logging in to the machine, with: "ssh 'username@203.0.113.0'"
and check to make sure that only the key(s) you wanted were added.
You can now log in without a password.
Locally by Piping into ssh with Password-Based Access
If you do not have ssh-copy-id on your local computer but you do have password-based SSH access to your Droplet, you can add an SSH key to your Droplet by piping the contents of the key into the ssh command.
The following command makes sure the ~/.ssh directory exists on your Droplet, then pipes the content of the ~/.ssh/id_rsa.pub file on your local computer to the ~/.ssh/authorized_keys file on your Droplet.
Run this command on your local computer, substituting your username and the Droplet’s IP address:
cat ~/.ssh/id_rsa.pub | ssh username@203.0.113.0 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Running this command prompts you for the user’s password on the Droplet:
The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
username@203.0.113.0's password:
After you enter the password, it copies your key, and you can log in without a password.
Manually from the Droplet
If you do not have password-based SSH access available, you must add your public key to the remote server manually.
On your local machine, output the contents of your public key.
cat ~/.ssh/id_rsa.pub
Copy the output, which looks similar to this example:
ssh-rsa EXAMPLEzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== username@203.0.113.0
Next, connect to your Droplet with SSH.
Note
ssh to add your keys.On your Droplet, create the ~/.ssh directory if it does not already exist:
mkdir -p ~/.ssh
The public keys listed in ~/.ssh/authorized_keys are the ones that you can use to log in to the server as this user, so you need to add the public key you copied into this file.
To do so, run the following command on your Droplet, replacing the example key in quotes (ssh-rsa EXAMPLEzaC1yc2E...GvaQ== username@203.0.113.0) with the key you copied:
echo "ssh-rsa EXAMPLEzaC1yc2E...GvaQ== username@203.0.113.0" >> ~/.ssh/authorized_keys
Alternatively, you can open the ~/.ssh/authorized_keys file with a terminal-based text editor, like nano, and paste the contents of the key into the file that way.
The ~/.ssh directory and authorized_keys file must have specific restricted permissions (700 for ~/.ssh and 600 for authorized_keys). If they don’t, you cannot log in.
Once the authorized_keys file contains the public key, set the permissions and ownership of the files:
chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh
You can now log out of your Droplet. The next time you log in, you can do so without a password.