Question
What is the best way to pass private key to droplet on creation?
- Posted February 21, 2018
- Configuration ManagementUbuntu
Let’s say my droplet needs private SSH key to access other services (like pull things from a git repo). Can I pass private keys in “Add your SSH keys” for droplets? I think I can add it in user-data/cloud-init, but don’t understand full implications of this (maybe they’ll show up in logs, etc). Are there better alternatives?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
The “Add your SSH keys” box is only for adding a public key to the Droplet for SSH access.
You can add a private key via cloud-init, though that does have some drawbacks like potentially being logged. The user-data is also served via the DigitalOcean metadata service. So any user on that specific Droplet could retrieve the key by running curl http://169.254.169.254/metadata/v1/user-data
Here’s an example:
#cloud-config
ssh_keys:
rsa_private: |
-----BEGIN RSA PRIVATE KEY-----
K95I4FVq5Y6lbHGxjN8v7owd2CwjIoHbmgzciJUshtLQXGXiPOLo2v1PI14IfIQf
GUrHNw6DHIsjYMdSdfwh7LPF5yJP2xEflWljy/D4WC2CZ/XbvnBw3/T731PLbnXM
al1O7zeNRmTUlnZjdlgQKt6bl1NbXhhNDXjETR6D03tHTwDmWhSIHBoDM1kzIyq2
2ZqIxQECgYEA7yiKedA2ZI4iThqGH8ozvoxyTHPqpFHg5kCFEHUE9XlBnkGMMoq4
Aq7yY8tDAem0n/lRK/sQEIVUV4c/4CDnR2ZLZtfVq4lDKTHmYJxJAYM0qTkFy/oQ
dQv6n34PQp///g8b8k81uguA7IsaLNhADQn+/ByDyA2xGFJH9yTfJCiMJ579tldp
FnGYFGwk5HZ9ksNPqoqb3H93SVzH0gjZqvqGqNaNAZupjHx8UNW4PX1io0agtaWW
47Iw92J29glG5frLTGaQyzJpQwiKyxTAMgNF8ioWe3GRZrdXvhQNPDkqZqVwiSmX
JBEH2jrDRE+rurtNQLd7GGESO2/GFRDUDcPAz0W1D9+M38VU8c4=
-----END RSA PRIVATE KEY-----
Alternatively, you could generate it on first boot with:
#cloud-config
runcmd:
- ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
