What is the best way to pass private key to droplet on creation?

February 21, 2018 704 views
Configuration Management Ubuntu

Let's say my droplet needs private SSH key to access other services (like pull things from a git repo). Can I pass private keys in "Add your SSH keys" for droplets? I think I can add it in user-data/cloud-init, but don't understand full implications of this (maybe they'll show up in logs, etc). Are there better alternatives?

1 Answer
asb MOD February 21, 2018
Accepted Answer

The "Add your SSH keys" box is only for adding a public key to the Droplet for SSH access.

You can add a private key via cloud-init, though that does have some drawbacks like potentially being logged. The user-data is also served via the DigitalOcean metadata service. So any user on that specific Droplet could retrieve the key by running curl http://169.254.169.254/metadata/v1/user-data

Here's an example:

#cloud-config
ssh_keys:
  rsa_private: |
    -----BEGIN RSA PRIVATE KEY-----
    K95I4FVq5Y6lbHGxjN8v7owd2CwjIoHbmgzciJUshtLQXGXiPOLo2v1PI14IfIQf
    GUrHNw6DHIsjYMdSdfwh7LPF5yJP2xEflWljy/D4WC2CZ/XbvnBw3/T731PLbnXM
    al1O7zeNRmTUlnZjdlgQKt6bl1NbXhhNDXjETR6D03tHTwDmWhSIHBoDM1kzIyq2
    2ZqIxQECgYEA7yiKedA2ZI4iThqGH8ozvoxyTHPqpFHg5kCFEHUE9XlBnkGMMoq4
    Aq7yY8tDAem0n/lRK/sQEIVUV4c/4CDnR2ZLZtfVq4lDKTHmYJxJAYM0qTkFy/oQ
    dQv6n34PQp///g8b8k81uguA7IsaLNhADQn+/ByDyA2xGFJH9yTfJCiMJ579tldp
    FnGYFGwk5HZ9ksNPqoqb3H93SVzH0gjZqvqGqNaNAZupjHx8UNW4PX1io0agtaWW
    47Iw92J29glG5frLTGaQyzJpQwiKyxTAMgNF8ioWe3GRZrdXvhQNPDkqZqVwiSmX
    JBEH2jrDRE+rurtNQLd7GGESO2/GFRDUDcPAz0W1D9+M38VU8c4=
    -----END RSA PRIVATE KEY-----

Alternatively, you could generate it on first boot with:

#cloud-config
runcmd:
 - ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
  • Thanks for the detaled answer! Actually, generating key on the first boot and sending public key via some sort of notification looks like generic and secure option. Cool!

Have another answer? Share your knowledge.