How to Upload an SSH Public Key to an Existing Droplet

There are several ways to add your public key to a server:

  • Using ssh-copy-id, which is included in many Linux distributions’ OpenSSH packages. This is a good choice when you have password-based SSH access.
  • By copying the contents of the key and piping the contents into the ~/.ssh/authorized_keys file. This is a good choice when you have password-based SSH access but don’t have ssh-copy-id.
  • By adding the public key manually, which is necessary if you do not have password-based SSH access.

With ssh-copy-id and Password-Based Access

You can copy your SSH key using ssh-copy-id, substituting in the IP address of your Droplet.

ssh-copy-id username@203.0.113.0

This will prompt you for the user account’s password on the remote system:

The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.0's password:

After typing in the password, the contents of your ~/.ssh/id_rsa.pub key will be appended to the end of the user account’s ~/.ssh/authorized_keys file:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'username@203.0.113.0'"
and check to make sure that only the key(s) you wanted were added.

After entering the password, it will copy your key, and you can log in without a password.

With ssh and Password-Based Access

If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can pipe the contents of the key into the ssh command.

On the remote side, make sure the ~/.ssh directory exists, and then append the piped contents into the ~/.ssh/authorized_keys file. Substitute the IP address for your Droplet.

cat ~/.ssh/id_rsa.pub | ssh username@203.0.113.0 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

You will be asked to supply the password for the remote account:

The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
username@203.0.113.0's password:

After entering the password, it will copy your key, and you can log in without a password.

Without Password-Based Access

If you do not have password-based SSH access available, you will have to add your public key to the remote server manually.

These instructions assume you’re connecting to your Droplet with a terminal and SSH without password access. If you can’t connect using those methods, you can use the DigitalOcean Console to recover access by resetting your Droplet’s root password, and then use ssh to add your keys.

On your local machine, output the contents of your public key.

cat ~/.ssh/id_rsa.pub

Copy the output.

ssh-rsa EXAMPLEzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== username@203.0.113.0

Log into your Droplet using your local terminal and create the ~/.ssh directory if it does not already exist:

mkdir -p ~/.ssh

Add the key to the ~/.ssh/authorized_keys. Make sure to substitute the contents of your public key.

echo "ssh-rsa EXAMPLEzaC1yc2E...GvaQ== username@203.0.113.0" >> ~/.ssh/authorized_keys

The ~/.ssh directory and authorized_keys file must have specific restricted permissions (700 for ~/.ssh and 600 for authorized_keys). If they don’t, you won’t be able to log in.

Make sure the permissions and ownership of the files are correct.

chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh

You can now log in without a password.