How to Transfer Files over DigitalOcean Private Networks (SSH Keys)
DigitalOcean offers private networking in all datacenter regions at no additional cost. Private networking creates a second network interface, unreachable from the Internet, that can be used to communicate with other Droplets in a team or account within the same datacenter. It's useful when you want transfer data safely between servers or reduce outbound bandwidth usage.
In this article, we'll explain how to transfer files between Droplets that use SSH Keys to authenticate. If you use passwords to log into your Droplets, see How to Transfer Files over a DigitalOcean Private Network with Password Authentication for password-based directions.
To follow along with this tutorial, you will need to create two Droplets in the same datacenter with:
- Private networking enabled How To Create Your First DigitalOcean Droplet can help you get started. Be sure when you reach the Select additional options section that you check the Private networking box.
- An SSH Key added We strongly suggest that you use SSH keys. However, if you use password-based authentication between the servers, see the password version of this tutorial instead.
Once you have completed these steps, you're ready to begin.
Step 1 — Logging into the Droplets
We'll start by logging into Droplet-01 from a terminal on our local machine:
- ssh root@IP_of_Droplet-01
If prompted, we'll enter the passphrase for our key, and then we'll be at the command prompt:
Next, we'll open a second terminal on our local machine and log into Droplet-02:
- ssh root@IP_of_Droplet-02
Again, we'll enter a passphrase if prompted.
Once we've logged into both servers, we're ready to begin.
Step 2 — Creating Keys for the Servers
When we added our SSH key as part of creating the Droplets in the prerequisites, it enabled us to use key-based authentication from our local environment to the two servers. It also disabled PasswordAuthentication:
. . . # Change to no to disable tunnelled clear text passwords PasswordAuthentication no . . .
This protects the servers against password vulnerabilities but also means that to connect directly from one server to the other, we'll need to create and authorize SSH keys.
We'll be connecting from Droplet-01 to Droplet-02, so we'll begin by using
ssh-keygen to create an RSA key on Droplet-01.
In the dialog that followed, we'll press ENTER three times:
- First, we'll accept the default location for the key.
- Then, because we're likely to use
rsyncas part of automation, we will not supply a passphrase in order to allow the machines to connect without intervention.
- Finally, we'll confirm we want no passphrase
OutputGenerating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub.
Next we'll use
cat to display the public key,
- cat ~/.ssh/id_rsa.pub
Outputssh-rsa EXAMPLEzaC1yc2EAAAADAQABAAABAQD7lpFBPqtQqCWFjDKCNhPLcfAi3musaXFgkzdHJ 3uO+9I/RZT662oSvyGp/yW2aOzduWYiv9ILgHH7vb/m5Y/iRvkBXr382x8ea4TCc3eD1fZ6DFF2 6ybsTTftK4zIaWfCeb8+K4CHCFngBpbSm/YWTTicff3PIli3gr6ZrYu13Csao/Y3KfHiUPjHXif+5wd VYTD9j+WBpmYSX3mh7DS2KLdvMA+cTrQz7tpe06DwPDD5h1FDgtmHJGlsh07ohpUE1eYja WxPYzGCtaDFJkP7DemR6UL/v5MP2yiFXV22ab/q5ud+7wnjnpxO+tE0Vk45MqJg/7KBVErBczd lAwPT root@Droplet-01
We'll copy the public key into our clipboard, then switch to Droplet-02 and paste the public key into its authorized key file.
Adding the public key tells Droplet-02 that if a server has the matching private key, it should be allowed to connect:
- nano ~/.ssh/authorized_keys
We'll paste in the public key on its own line:
When we're done, we'll save and exit. Next, we'll test that Droplet-01 is allowed to connect to Droplet-02.
Step 3 — Creating a Test File
Back on Droplet-1, we'll use the
echo command to create some content and direct it into a new file called
- echo "Private networking test" > ~/test.txt
In the next step, we'll transfer this file to our second Droplet using
Step 4 — Transferring the file over the Private Network
When we direct commands like
rsync at a public IP address, the traffic automatically routes over the public network. However, if we direct it to an IP address on our private network, the traffic stays on the private network.
We're going to transfer the file from the last step to Droplet-02, so we'll need its private IP address.
We'll go to the Control Panel and click
Droplet-02's name. On any of its Droplet-specific pages, both the public and private IP addresses are displayed near the top of the page:
Note: You can also get the private address using the
Be sure to copy the Private IP of your Droplet and substitute it below.
- rsync --verbose ~/test.txt Droplet-02-private_ip:/tmp
We'll press ENTER to send the command. Because the key we created in Step 1 didn't use a passphrase, the transfer will begin immediately and since we added
--verbose, we should receive output similar to the following:
Outputsent 85 bytes received 41 bytes 22.91 bytes/sec total size is 24 speedup is 0.19
Note: If you set a passphrase on the key, you'll need to enter it before continuing.
When the transfer is complete, we'll switch back to Droplet-02 and verify the transfer.
Step 5 — Verifying the Transfer
On Droplet-02, we'll use
cat to check that our
test.txt file is present in the
We should get the text we entered in Step 1.
OutputPrivate networking test
At this point, we've confirmed that we can move data over the private network.
- We recommend that you secure your new servers by following the initial server setup guide for your Droplets.
- Learn more about using SSH keys
- For help troubleshooting SSH issues, see the five article series, How To Troubleshoot SSH.
- You may also wish to configure a DigitalOcean Cloud Firewall to restrict which the servers and ports that are allowed to connect.