Question

What is the best way to pass private key to droplet on creation?

Posted February 21, 2018 1.6k views
Ubuntu Configuration Management

Let’s say my droplet needs private SSH key to access other services (like pull things from a git repo). Can I pass private keys in “Add your SSH keys” for droplets? I think I can add it in user-data/cloud-init, but don’t understand full implications of this (maybe they’ll show up in logs, etc). Are there better alternatives?

Add a comment
sbatishchev
By:
sbatishchev
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

1 answer
asb February 21, 2018

The “Add your SSH keys” box is only for adding a public key to the Droplet for SSH access.

You can add a private key via cloud-init, though that does have some drawbacks like potentially being logged. The user-data is also served via the DigitalOcean metadata service. So any user on that specific Droplet could retrieve the key by running curl http://169.254.169.254/metadata/v1/user-data

Here’s an example:

#cloud-config
ssh_keys:
  rsa_private: |
    -----BEGIN RSA PRIVATE KEY-----
    K95I4FVq5Y6lbHGxjN8v7owd2CwjIoHbmgzciJUshtLQXGXiPOLo2v1PI14IfIQf
    GUrHNw6DHIsjYMdSdfwh7LPF5yJP2xEflWljy/D4WC2CZ/XbvnBw3/T731PLbnXM
    al1O7zeNRmTUlnZjdlgQKt6bl1NbXhhNDXjETR6D03tHTwDmWhSIHBoDM1kzIyq2
    2ZqIxQECgYEA7yiKedA2ZI4iThqGH8ozvoxyTHPqpFHg5kCFEHUE9XlBnkGMMoq4
    Aq7yY8tDAem0n/lRK/sQEIVUV4c/4CDnR2ZLZtfVq4lDKTHmYJxJAYM0qTkFy/oQ
    dQv6n34PQp///g8b8k81uguA7IsaLNhADQn+/ByDyA2xGFJH9yTfJCiMJ579tldp
    FnGYFGwk5HZ9ksNPqoqb3H93SVzH0gjZqvqGqNaNAZupjHx8UNW4PX1io0agtaWW
    47Iw92J29glG5frLTGaQyzJpQwiKyxTAMgNF8ioWe3GRZrdXvhQNPDkqZqVwiSmX
    JBEH2jrDRE+rurtNQLd7GGESO2/GFRDUDcPAz0W1D9+M38VU8c4=
    -----END RSA PRIVATE KEY-----

Alternatively, you could generate it on first boot with:

#cloud-config
runcmd:
 - ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
Reply Report
  • sbatishchev February 22, 2018

    Thanks for the detaled answer! Actually, generating key on the first boot and sending public key via some sort of notification looks like generic and secure option. Cool!

    Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help