How to Upload an SSH Public Key to an Existing Droplet

There are several ways to add your public key to a Droplet. If you currently have SSH access to the Droplet, you can upload keys:

  • From your local computer using ssh-copy-id, which is included in many Linux distributions’ OpenSSH packages.

  • From your local computer by piping the contents of the key into the ~/.ssh/authorized_keys file. This is a good choice if you don’t have ssh-copy-id.

  • By SSHing to your Droplet and adding the public key manually, which is necessary if you do not have password-based SSH access.

If you currently can’t connect to your Droplet at all, use the Droplet console to reset the root user password.

Locally Using ssh-copy-id and Password-Based Access

If you have password-based access to your Droplet, you can copy your SSH key using ssh-copy-id. Substitute the IP address of your Droplet.

ssh-copy-id username@203.0.113.0

This will prompt you for the user account’s password on the remote system:

The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.0's password:

After typing in the password, the contents of your ~/.ssh/id_rsa.pub key will be appended to the end of the user account’s ~/.ssh/authorized_keys file:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'username@203.0.113.0'"
and check to make sure that only the key(s) you wanted were added.

After entering the password, it will copy your key, and you can log in without a password.

Locally by Piping into ssh with Password-Based Access

If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can pipe the contents of the key into the ssh command.

On the remote side, make sure the ~/.ssh directory exists, and then append the piped contents into the ~/.ssh/authorized_keys file. Substitute the IP address for your Droplet.

cat ~/.ssh/id_rsa.pub | ssh username@203.0.113.0 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

You will be asked to supply the password for the remote account:

The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
username@203.0.113.0's password:

After entering the password, it will copy your key, and you can log in without a password.

Manually from the Droplet without Password-Based Access

If you do not have password-based SSH access available, you will have to add your public key to the remote server manually.

These instructions assume you’re connecting to your Droplet with a terminal and SSH without password access. If you can’t connect using those methods, you can use the Droplet console to recover access by resetting your Droplet’s root password, and then use ssh to add your keys.

On your local machine, output the contents of your public key.

cat ~/.ssh/id_rsa.pub

Copy the output.

ssh-rsa EXAMPLEzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== username@203.0.113.0

Log into your Droplet using your local terminal and create the ~/.ssh directory if it does not already exist:

mkdir -p ~/.ssh

You’ll need to add your SSH key to an authorized_keys file in this directory. The public keys listed in that file are the ones that can be used to log into the server as this user.

Create and open the ~/.ssh/authorized_keys file for editing using a terminal-based text editor, like nano.

nano ~/.ssh/authorized_keys

Paste the contents of your SSH key into the file by right-clicking in your terminal and choosing Paste or by using a keyboard shortcut like CTRL+SHIFT+V. Then, save and close the file. In nano, save by pressing CTRL+O and then ENTER, and exit by pressing CTRL+X.

Alternatively, instead of opening the file in an editor and pasting your key, you can create the authorized_keys file with your public key added with a single command. If you use this, make sure to substitute the contents of your public key into the echo command.

echo "ssh-rsa EXAMPLEzaC1yc2E...GvaQ== username@203.0.113.0" >> ~/.ssh/authorized_keys

Once the authorized_keys file contains the public key, you need to update permissions on some of the files. The ~/.ssh directory and authorized_keys file must have specific restricted permissions (700 for ~/.ssh and 600 for authorized_keys). If they don’t, you won’t be able to log in.

Make sure the permissions and ownership of the files are correct.

chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh

You can now log out of your Droplet. The next time you log in, you can do so without a password.