Let's say my droplet needs private SSH key to access other services (like pull things from a git repo). Can I pass private keys in "Add your SSH keys" for droplets? I think I can add it in user-data/cloud-init, but don't understand full implications of this (maybe they'll show up in logs, etc). Are there better alternatives?
The "Add your SSH keys" box is only for adding a public key to the Droplet for SSH access.
You can add a private key via cloud-init, though that does have some drawbacks like potentially being logged. The user-data is also served via the DigitalOcean metadata service. So any user on that specific Droplet could retrieve the key by running curl http://169.254.169.254/metadata/v1/user-data
Here's an example:
#cloud-config
ssh_keys:
rsa_private: |
-----BEGIN RSA PRIVATE KEY-----
K95I4FVq5Y6lbHGxjN8v7owd2CwjIoHbmgzciJUshtLQXGXiPOLo2v1PI14IfIQf
GUrHNw6DHIsjYMdSdfwh7LPF5yJP2xEflWljy/D4WC2CZ/XbvnBw3/T731PLbnXM
al1O7zeNRmTUlnZjdlgQKt6bl1NbXhhNDXjETR6D03tHTwDmWhSIHBoDM1kzIyq2
2ZqIxQECgYEA7yiKedA2ZI4iThqGH8ozvoxyTHPqpFHg5kCFEHUE9XlBnkGMMoq4
Aq7yY8tDAem0n/lRK/sQEIVUV4c/4CDnR2ZLZtfVq4lDKTHmYJxJAYM0qTkFy/oQ
dQv6n34PQp///g8b8k81uguA7IsaLNhADQn+/ByDyA2xGFJH9yTfJCiMJ579tldp
FnGYFGwk5HZ9ksNPqoqb3H93SVzH0gjZqvqGqNaNAZupjHx8UNW4PX1io0agtaWW
47Iw92J29glG5frLTGaQyzJpQwiKyxTAMgNF8ioWe3GRZrdXvhQNPDkqZqVwiSmX
JBEH2jrDRE+rurtNQLd7GGESO2/GFRDUDcPAz0W1D9+M38VU8c4=
-----END RSA PRIVATE KEY-----
Alternatively, you could generate it on first boot with:
#cloud-config
runcmd:
- ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
Thanks for the detaled answer! Actually, generating key on the first boot and sending public key via some sort of notification looks like generic and secure option. Cool!