How to Add SSH Keys to VPS

While it is possible to manage your servers using password-based logins, it is often a better idea to set up and use SSH key pairs. SSH keys are more secure than passwords, and can help you log in without having to remember long passwords.

To use SSH keys with your virtual private servers, you need to create an SSH key using an SSH client installed on your local computer. OpenSSH is included on Linux, macOS, and Windows Subsystem for Linux. Windows users without Bash can PuTTY.

How to Create SSH Keys with OpenSSH on Linux or macOS

The standard OpenSSH suite of tools contains the ssh-keygen utility, which is used to generate key pairs. Run it on your local computer to generate a 2048-bit RSA key pair, which is fine for most uses.

ssh-keygen

The utility will prompt you to select a location for the keys. By default, the keys are stored in the ~/.ssh directory with the filenames id_rsa for the private key and id_rsa.pub for the public key. Using the default locations will allow your SSH client to automatically find your SSH keys when authenticating, so we recommend accepting them by pressing ENTER.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):

If you have previously generated a key pair, you may see a prompt that looks like this:

/home/username/.ssh/id_rsa already exists.
Overwrite (y/n)?

If you choose to overwrite the key on disk, you will not be able to authenticate using the previous key anymore. Selecting yes is an irreversible destructive process.

Once you select a location for the key, you’ll be prompted to enter an optional passphrase which encrypts the private key file on disk.

If you enter one, you will have to provide it every time you use this key (unless you are running SSH agent software that stores the decrypted key). We recommend using a passphrase, but you can press ENTER to bypass this prompt.

Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

This is the last step in the creation process. You now have a public and private key that you can use to authenticate.

Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
a9:49:EX:AM:PL:E3:3e:a9:de:4e:77:11:58:b6:90:26 username@203.0.113.0
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+

How to Create SSH Keys with PuTTY on Windows

To create and use SSH keys on Windows, you need to download and install both PuTTY, the utility used to connect to remote servers through SSH, and PuTTYgen, a utility used to create SSH keys.

On the PuTTY website, download the .msi file in the Package files section at the top of the page, under MSI (‘Windows Installer’). Next, install it on your local computer by double clicking it and using the installation wizard.

After the programs are installed, start the PuTTYgen program through your Start Menu or by tapping the Windows key and typing puttygen. The key generation program looks similar to this:

PuTTYgen initial screen

You can customize the Parameters at the bottom if you like, but the default values are appropriate in most situations. When you’re ready, click the Generate button on the right-hand side.

You might be prompted to “generate some randomness by moving the mouse over the blank area”. This randomness, known as entropy, is used to create keys in a secure fashion so that other people can’t reproduce them.

PuTTY generate entropy

When the key is generated, you’ll see the public key displayed in a text box. Copy this into your clipboard now if you plan to add it to your servers. Be sure to scroll within the text area so you copy the entire key.

PuTTY new key

Click the Save private key button and select a secure location to keep it. You can name your key whatever you’d like, and the extension .ppk will be automatically added.

Working with PuTTY’s Public Key Format

You can click Save public key as well, but take note: The format PuTTYGen uses when it saves the public key is incompatible with the OpenSSH authorized_keys files used for SSH key authentication on Linux servers.

If you need to see the public key in the right format after the private key has been saved:

  1. Click the Load button.

  2. Navigate to the private key and open it.

The public key will be redisplayed again.

Click the Save private key button and select a secure location to keep it. You can name your key whatever you’d like, and the extension .ppk will be automatically added.

Working with PuTTY’s Public Key Format

You can click Save public key as well, but take note: The format PuTTYGen uses when it saves the public key is incompatible with the OpenSSH authorized_keys files used for SSH key authentication on Linux servers.

If you need to see the public key in the right format after the private key has been saved, either:

  • Click the Load button

  • Navigate to the private key and open it.

The public key will be redisplayed again.

Now that you have your generated key pair saved on your computer and ready to use.

How to Add SSH Keys to Your Virtual Private Server

There are several ways to add your public key to a server:

  • Using ssh-copy-id, which is included in many Linux distributions’ OpenSSH packages. This is a good choice when you have password-based SSH access.

  • By copying the contents of the key and piping the contents into the ~/.ssh/authorized_keys file. This is a good choice when you have password-based SSH access but don’t have ssh-copy-id.

  • By adding the public key manually, which is necessary if you do not have password-based SSH access.

With ssh-copy-id and Password-Based Access

You can copy your SSH key using ssh-copy-id, substituting in the IP address of your VPS.

ssh-copy-id username@203.0.113.0

This will prompt you for the user account’s password on the remote system:

The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.0's password:

After typing in the password, the contents of your ~/.ssh/id_rsa.pub key will be appended to the end of the user account’s ~/.ssh/authorized_keys file:

Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@203.0.113.0'"
and check to make sure that only the key(s) you wanted were added.

After entering the password, it will copy your key, and you can log in without a password.

With ssh and Password-Based Access

If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can pipe the contents of the key into the ssh command.

On the remote side, make sure the ~/.ssh directory exists, and then append the piped contents into the ~/.ssh/authorized_keys file. Substitute the IP address for your VPS.

cat ~/.ssh/id_rsa.pub | ssh username@203.0.113.0 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

You will be asked to supply the password for the remote account:

The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
username@203.0.113.0's password:

After entering the password, it will copy your key, and you can log in without a password.

Without Password-Based Access

If you do not have password-based SSH access available, you will have to add your public key to the remote server manually.

On your local machine, output the contents of your public key.

cat ~/.ssh/id_rsa.pub

Copy the output.

ssh-rsa EXAMPLEzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== username@203.0.113.0

Log into your VPS and create the ~/.ssh directory if it does not already exist:

mkdir -p ~/.ssh

Add the key to the ~/.ssh/authorized_keys. Make sure to substitute the contents of your public key.

echo "ssh-rsa EXAMPLEzaC1yc2E...GvaQ== username@203.0.113.0" >> ~/.ssh/authorized_keys

The ~/.ssh directory and authorized_keys file must have specific restricted permissions (700 for ~/.ssh and 600 for authorized_keys). If they don’t, you won’t be able to log in.

Make sure the permissions and ownership of the files are correct.

chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh

You can now log in without a password.