We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How to Transfer Files over DigitalOcean Private Networks (SSH Keys)

UpdatedMarch 30, 2018 242.9k views Networking DigitalOcean Product Documentation

DigitalOcean offers private networking in all datacenter regions at no additional cost. Private networking creates a second network interface, unreachable from the Internet, that can be used to communicate with other Droplets in a team or account within the same datacenter. It's useful when you want transfer data safely between servers or reduce outbound bandwidth usage.

In this article, we'll explain how to transfer files between Droplets that use SSH Keys to authenticate. If you use passwords to log into your Droplets, see How to Transfer Files over a DigitalOcean Private Network with Password Authentication for password-based directions.


To follow along with this tutorial, you will need to create two Droplets in the same datacenter with:

  • Private networking enabled How To Create Your First DigitalOcean Droplet can help you get started. Be sure when you reach the Select additional options section that you check the Private networking box.
  • An SSH Key added We strongly suggest that you use SSH keys. However, if you use password-based authentication between the servers, see the password version of this tutorial instead.

Screenshot of key options selected

Once you have completed these steps, you're ready to begin.

Step 1 — Logging into the Droplets

We'll start by logging into Droplet-01 from a terminal on our local machine:

  • ssh root@IP_of_Droplet-01

If prompted, we'll enter the passphrase for our key, and then we'll be at the command prompt:

Next, we'll open a second terminal on our local machine and log into Droplet-02:

  • ssh root@IP_of_Droplet-02

Again, we'll enter a passphrase if prompted.

Once we've logged into both servers, we're ready to begin.

Step 2 — Creating Keys for the Servers

When we added our SSH key as part of creating the Droplets in the prerequisites, it enabled us to use key-based authentication from our local environment to the two servers. It also disabled PasswordAuthentication:

 . . .
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
 . . .

This protects the servers against password vulnerabilities but also means that to connect directly from one server to the other, we'll need to create and authorize SSH keys.

We'll be connecting from Droplet-01 to Droplet-02, so we'll begin by using ssh-keygen to create an RSA key on Droplet-01.

  • ssh-keygen

In the dialog that followed, we'll press ENTER three times:

  1. First, we'll accept the default location for the key.
  2. Then, because we're likely to use rsync as part of automation, we will not supply a passphrase in order to allow the machines to connect without intervention.
  3. Finally, we'll confirm we want no passphrase
Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub.

Next we'll use cat to display the public key, id_rsa.pub:

  • cat ~/.ssh/id_rsa.pub
ssh-rsa EXAMPLEzaC1yc2EAAAADAQABAAABAQD7lpFBPqtQqCWFjDKCNhPLcfAi3musaXFgkzdHJ 3uO+9I/RZT662oSvyGp/yW2aOzduWYiv9ILgHH7vb/m5Y/iRvkBXr382x8ea4TCc3eD1fZ6DFF2 6ybsTTftK4zIaWfCeb8+K4CHCFngBpbSm/YWTTicff3PIli3gr6ZrYu13Csao/Y3KfHiUPjHXif+5wd VYTD9j+WBpmYSX3mh7DS2KLdvMA+cTrQz7tpe06DwPDD5h1FDgtmHJGlsh07ohpUE1eYja WxPYzGCtaDFJkP7DemR6UL/v5MP2yiFXV22ab/q5ud+7wnjnpxO+tE0Vk45MqJg/7KBVErBczd lAwPT root@Droplet-01

We'll copy the public key into our clipboard, then switch to Droplet-02 and paste the public key into its authorized key file.

Adding the public key tells Droplet-02 that if a server has the matching private key, it should be allowed to connect:

  • nano ~/.ssh/authorized_keys

We'll paste in the public key on its own line:

EXAMPLEzaC1yc2EAAAADAQABAAABAQD7lpFBPqtQqCWFjDKCNhPLcfAi3musaXFgkzdHJ3uO+9I/RZT662oSvyGp/yW2aOzduWYiv9ILgHH7vb/m5Y/iRvkBXr382x8ea4TCc3eD1fZ6DFF26ybsTTftK4zIaWfCeb8+K4CHCFngBpbSm/YWTTicff3PIli3gr6ZrYu13Csao/Y3KfHiUPjHXif+5wdVYTD9j+WBpmYSX3mh7DS2KLdvMA+cTrQz7tpe06DwPDD5h1FDgtmHJGlsh07ohpUE1eYjaWxPYzGCtaDFJkP7DemR6UL/v5MP2yiFXV22ab/q5ud+7wnjnpxO+tE0Vk45MqJg/7KBVErBczdlAwPT root@Droplet-01

When we're done, we'll save and exit. Next, we'll test that Droplet-01 is allowed to connect to Droplet-02.

Step 3 — Creating a Test File

Back on Droplet-1, we'll use the echo command to create some content and direct it into a new file called test.txt:

  • echo "Private networking test" > ~/test.txt

In the next step, we'll transfer this file to our second Droplet using [rsync](https://www.digitalocean.com/community/articles/how-to-copy-files-with-rsync-over-ssh).

Step 4 — Transferring the file over the Private Network

When we direct commands like ping or rsync at a public IP address, the traffic automatically routes over the public network. However, if we direct it to an IP address on our private network, the traffic stays on the private network.

We're going to transfer the file from the last step to Droplet-02, so we'll need its private IP address.
We'll go to the Control Panel and click Droplet-02's name. On any of its Droplet-specific pages, both the public and private IP addresses are displayed near the top of the page:

Private IP copy link highlighted

Note: You can also get the private address using the ifconfig command.

Be sure to copy the Private IP of your Droplet and substitute it below.

  • rsync --verbose ~/test.txt Droplet-02-private_ip:/tmp

We'll press ENTER to send the command. Because the key we created in Step 1 didn't use a passphrase, the transfer will begin immediately and since we added --verbose, we should receive output similar to the following:

sent 85 bytes received 41 bytes 22.91 bytes/sec total size is 24 speedup is 0.19

Note: If you set a passphrase on the key, you'll need to enter it before continuing.

When the transfer is complete, we'll switch back to Droplet-02 and verify the transfer.

Step 5 — Verifying the Transfer

On Droplet-02, we'll use cat to check that our test.txt file is present in the /tmp directory:

cat /tmp/test.txt

We should get the text we entered in Step 1.

Private networking test

At this point, we've confirmed that we can move data over the private network.

Next Steps


Creative Commons License