D DigitalOcean

How to generate SSH keys on DigitalOcean

beginner 10 min read Updated 2026-03-13
Quick Answer

Generate an SSH key pair locally using <code>ssh-keygen</code> (OpenSSH on Linux/macOS/WSL) or PuTTYgen (Windows), then copy your public key and add it to your DigitalOcean account via Settings > Security > SSH Keys or directly to an existing Droplet. Connect to your Droplet using <code>ssh root@your_droplet_ip</code> without entering a password.

Prerequisites

  • A DigitalOcean account with an existing or planned Droplet
  • Terminal access on your local computer (built-in on Linux/macOS; WSL or Git Bash on Windows)
  • OpenSSH installed (default on Linux/macOS) or PuTTY downloaded for Windows
  • Basic familiarity with command-line operations
  • Your email address for the SSH key comment

Step-by-Step Instructions

1

Generate SSH Key Pair on Linux, macOS, or Windows Subsystem for Linux

Open your terminal and run the ssh-keygen command to create a new key pair. By default, this generates a 3072-bit RSA key, but you can specify a stronger 4096-bit RSA key or use Ed25519 for better performance. Run: 
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
The -t rsa flag specifies the key type, -b 4096 sets the key size to 4096 bits for enhanced security, and -C adds a comment (typically your email) to identify the key. When prompted, press Enter to accept the default file location (~/.ssh/id_rsa for the private key and ~/.ssh/id_rsa.pub for the public key). This ensures your SSH client can automatically locate your keys during authentication.
For faster key generation and modern security, use <code>ssh-keygen -t ed25519 -C "your_email@example.com"</code> instead, which creates an Ed25519 key pair.
2

Set a Passphrase for Your Private Key

After specifying the file location, ssh-keygen will prompt you to enter an optional passphrase. This passphrase encrypts your private key file on disk, adding an extra layer of security. If you enter a passphrase, you will need to provide it each time you use the private key to authenticate. If you prefer passwordless authentication, simply press Enter twice to skip the passphrase. For most users, especially those managing multiple Droplets, adding a passphrase is recommended to protect against unauthorized access if your local computer is compromised.
Use a strong, memorable passphrase (12+ characters with mixed case, numbers, and symbols) if you choose to set one.
3

Generate SSH Keys on Windows Using PuTTYgen

If you are using Windows without Bash or WSL, download and install PuTTY and PuTTYgen from the official PuTTY website. Open PuTTYgen and click the Generate button. Move your mouse randomly in the key generation area to create entropy for the key. In the Parameters section, set Type to RSA and Bits to 4096 (or higher for stronger security). Optionally, enter a Key passphrase to encrypt your private key. Once generation completes, copy the text displayed in the "Public key for pasting into OpenSSH authorized_keys file" box—this is your public key. Save your private key by clicking "Save private key" and store the .ppk file in a secure location on your computer.
Keep your .ppk private key file safe and back it up; losing it means you cannot access Droplets authenticated with this key.
4

Display and Copy Your Public Key

On Linux, macOS, or WSL, display your public key contents by running: 
cat ~/.ssh/id_rsa.pub
(or ~/.ssh/id_ed25519.pub if you used Ed25519). The output will display your public key, which starts with ssh-rsa or ssh-ed25519 and ends with your email comment. Copy the entire output—you will paste this into DigitalOcean. On Windows with PuTTYgen, you already copied the public key in the previous step from the key generation window. Do not share your private key (id_rsa or id_ed25519 without the .pub extension) with anyone; only the public key should be uploaded to DigitalOcean.
Use <code>pbcopy < ~/.ssh/id_rsa.pub</code> on macOS or <code>cat ~/.ssh/id_rsa.pub | clip</code> on Windows PowerShell to copy directly to your clipboard.
5

Add Your Public Key to Your DigitalOcean Team Account

Log in to the DigitalOcean Control Panel at cloud.digitalocean.com. Click your profile icon in the top right corner and select Settings. In the left sidebar, navigate to Security and click the SSH Keys tab. Click the "Add SSH Key" button. Enter a descriptive name for your key (e.g., "My Laptop Key" or "Work MacBook") in the Name field. Paste your public key into the SSH public key field. Click "Add SSH Key" to save it. Your key is now available team-wide and can be automatically embedded in new Droplets during creation. This approach is recommended because it allows you to add the key to multiple Droplets without manual configuration.
Use clear, descriptive names for your SSH keys so you can easily identify which key belongs to which device or purpose.
6

Create a New Droplet with Your SSH Key

In the DigitalOcean Control Panel, click Create and select Droplets. Choose your preferred region, operating system image (e.g., Ubuntu 22.04 LTS), and Droplet size. Scroll down to the Authentication section and select the SSH Keys tab. Check the box next to the SSH key you added in the previous step. If you have not yet added a key to your team account, you can click "New SSH Key" to add one during Droplet creation. Complete the remaining setup options (add tags, select a VPC if needed, enable backups if desired) and click Create Droplet. DigitalOcean will provision your Droplet and automatically configure SSH key authentication. Once creation is complete, note the Droplet's IPv4 address from the Droplet details page.
Enable backups during Droplet creation for automatic daily snapshots, which can be helpful for disaster recovery.
7

Add Your Public Key to an Existing Droplet

If you have an existing Droplet without your SSH key configured, you can add it manually. First, ensure the ~/.ssh directory exists on your Droplet by connecting via the Recovery Console (available in the DigitalOcean Control Panel under your Droplet's settings). Once you have access, create the directory if needed. Then, append your public key to the ~/.ssh/authorized_keys file on the Droplet. You can do this by piping your public key directly into the file using SSH or by manually editing the file through the Recovery Console. After adding your key, verify that the ~/.ssh directory has permissions 700 and authorized_keys has permissions 600 for security.
If you cannot connect to your Droplet, use the Recovery Console to reset your root password and regain access before adding your SSH key.
8

Connect to Your Droplet Using SSH

Open your terminal (or PuTTY on Windows) and connect to your Droplet using the SSH command: 
ssh root@your_droplet_ip
Replace your_droplet_ip with your Droplet's actual IPv4 address (e.g., ssh root@192.0.2.1). If you set a passphrase on your private key, you will be prompted to enter it. If you did not set a passphrase, you will be logged in immediately without any password prompt. On Windows with PuTTY, open PuTTY, enter your Droplet's IP address in the Host Name field, navigate to Connection > SSH > Auth in the left sidebar, and select your .ppk private key file before clicking Open.
Create an SSH config file at <code>~/.ssh/config</code> to save connection details and simplify future logins (e.g., <code>ssh myDroplet</code> instead of typing the full IP address).
9

Verify SSH Key Authentication and Disable Password Login

Once connected to your Droplet, verify that SSH key authentication is working correctly. You can test by disconnecting and reconnecting to confirm you are not prompted for a password. For enhanced security, disable password-based SSH authentication on your Droplet so that only SSH keys can be used. Edit the SSH daemon configuration file at /etc/ssh/sshd_config using a text editor like nano: 
sudo nano /etc/ssh/sshd_config
Find the line PasswordAuthentication yes and change it to PasswordAuthentication no. Save the file (Ctrl+O, Enter, Ctrl+X in nano) and restart the SSH service: 
sudo systemctl restart ssh
This ensures that only users with valid SSH keys can access your Droplet, significantly improving security.
Before disabling password authentication, ensure your SSH key is working and you have a backup access method (like the Recovery Console) in case you get locked out.

Common Issues & Troubleshooting

Permission denied (publickey) when connecting to Droplet

Verify that your public key is correctly added to the <code>~/.ssh/authorized_keys</code> file on the Droplet. Check file permissions: <code>~/.ssh</code> should have 700 permissions and <code>authorized_keys</code> should have 600. Use the Recovery Console to access your Droplet and manually verify the key content. Ensure you are using the correct username (usually root for new Droplets) and the correct private key file.

SSH key not found or ssh-keygen command not recognized

On Windows, ensure OpenSSH is installed via Windows Subsystem for Linux (WSL), Git Bash, or PowerShell. Alternatively, use PuTTY and PuTTYgen instead. On Linux/macOS, OpenSSH is typically pre-installed; if not, install it using your package manager (e.g., <code>sudo apt install openssh-client</code> on Ubuntu).

Cannot connect to Droplet after adding SSH key

Verify the Droplet's IPv4 address is correct and the Droplet is running. Check your firewall settings to ensure SSH traffic (port 22) is not blocked. If you recently created the Droplet, wait a few moments for it to fully initialize. Use the Recovery Console in the DigitalOcean Control Panel to access your Droplet directly and troubleshoot SSH configuration issues.

Passphrase prompt appears every time you connect

This is normal if you set a passphrase on your private key. To avoid entering the passphrase repeatedly, use an SSH agent to cache your key. On Linux/macOS, run <code>ssh-add ~/.ssh/id_rsa</code> to add your key to the agent. On Windows with PuTTY, use Pageant (PuTTY Authentication Agent) to manage your keys. Alternatively, regenerate your key without a passphrase if security is less critical.

Multiple SSH keys and unsure which one to use

List all keys in your <code>~/.ssh</code> directory using <code>ls -la ~/.ssh</code>. Check the key fingerprint on your Droplet (<code>ssh-keygen -l -f ~/.ssh/id_rsa.pub</code>) and compare it with your local keys. Create an SSH config file at <code>~/.ssh/config</code> to specify which key to use for each Droplet or host, making key management easier for multiple Droplets.

Exclusive Deal

Affiliate link. We may earn a commission at no extra cost to you.

Visit DigitalOcean View DigitalOcean Pricing