Recommended Initial Droplet Configuration

DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure.

When you first create a Droplet, we recommend configuring it for security and usability in a way that makes scaling and integration with other products simpler in the future. Our recommended setup for a Ubuntu 18.04 Droplet has the following:

  • Improved security: SSH key authentication for a sudo non-root user, no password-based access to root, and a cloud firewall to restrict access to SSH only.

  • Reliability and usability: Automatic backups to prevent data loss in emergencies, and networking features like VPC and IPv6 support with no manual configuration.

  • Capacity and scaling information: The DigitalOcean metrics agent to understand your resource usage and make more informed decisions on when and how to scale.

After you set up one Droplet with our recommended setup, configuring subsequent Droplets with the same setup only requires selecting options on the Droplet creation page.

You can use Droplets with this setup to host a website, scale out from a single Droplet to multiple Droplets with a load balancer, or add object storage to serve assets.

Before You Start

Choose whether you want to use the DigitalOcean Control Panel in a browser or doctl, the DigitalOcean command-line interface, from a terminal.

The control panel visually guides you through creation and configuration and lets you get started without setting up additional tools. doctl lets you work from the command line and enables faster setup with a scriptable interface.

If you don't already have a DigitalOcean account, sign up now and log in to the control panel.

Step 1: Create and Upload SSH Keys

Our recommended setup uses SSH keys for authentication when logging into Droplets because password-based authentication is less secure. After you upload your SSH public key to your DigitalOcean account, you can add it automatically to any new Droplets you create, which avoids manually adding or configuring them.

How do I do this?

If you don't have an SSH key pair, create one using OpenSSH, which is included on Linux, macOS, and Windows Subsystem for Linux:

ssh-keygen

Your key pair is saved in the location prompted, which by default is ~/.ssh/ on Linux and /Users/your_username/.ssh on Windows and macOS. Copy the contents of your public key, which is named id_rsa.pub by default.

From the Account section, in the Security tab, find the SSH keys section. Click Add SSH Key to open the New SSH key window.

The new SSH key window

Paste your public key into the SSH key content field, give it a name, then click Add SSH Key.

Get more detail on creating and uploading SSH keys.
The following articles have more detailed explanations of this step:

Use OpenSSH to create new SSH keys on MacOS, Linux, or Windows Subsystem for Linux.
Use PuTTY to create SSH keys on Windows systems without Bash.
Upload SSH public keys to your DigitalOcean account to make it easier to add keys to Droplets during creation.

Step 2: Create and Configure the Droplet

Our recommended setup for Droplets includes enabling several features: VPC (private networking), IPv6, monitoring, and backups.

  • VPC creates a private network interface accessible only by resources within the same account or team. It's free and increases security and decreases bandwidth costs for resources that communicate using it. Enabling it later requires manual network configuration and rebooting the Droplet.

  • IPv6 enables an additional 16 IP addresses for the Droplet. It's free and enabling it later requires manual network configuration and rebooting the Droplet.

  • Monitoring is a metrics visualization service that adds additional graphs to the control panel (like CPU load, RAM usage, and disk usage) and the ability to set up alert policies. It's free and enabling it from the start avoids manual setup and lets you understand your resource usage to make more informed decisions on when and how to scale.

  • Backups are automatic, system-level disk images of Droplets taken weekly. Backups give you a way to revert a Droplet to an older state or recreate Droplets, protecting you against data loss. They add 20% to the monthly cost of the Droplet.

Our setup also uses user data, which is data that CloudInit consumes during the Droplet's first boot to perform tasks or run scripts. The user data script in this tutorial implements two security measures:

  • Disables password-based login to the Droplet, making it accessible with SSH keys only.

  • Creates a sudo non-root user for day-to-day use. The root user has broad privileges that you don't need for many tasks. Using a sudo non-root user decreases the risk of making destructive changes by accident and still lets you escalate privileges when necessary.

How do I do this?

From the control panel, click Create in the top right to open the create menu, then click Droplets to open the Droplet create page. Configure the new Droplet with the following options:

  1. In Choose an image, under the Distributions tab, choose the latest version of Ubuntu 18.04.

  2. In VPC Network, choose the default VPC.

  3. In Select additional options, check the boxes for IPv6 and monitoring.

The select additional options section of the Droplet create page with private networking, IPv6, and monitoring checked

  1. In Select additional options, additionally check the box for user data. In the text box that opens, copy and paste the following cloud-config script. Customize the emphasized line to set the username.
    
        
#!/bin/bash
set -euo pipefail

USERNAME=sammy # TODO: Customize the sudo non-root username here

# Create user and immediately expire password to force a change on login
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
passwd --delete "${USERNAME}"
chage --lastday 0 "${USERNAME}"

# Create SSH directory for sudo user and move keys over
home_directory="$(eval echo ~${USERNAME})"
mkdir --parents "${home_directory}/.ssh"
cp /root/.ssh/authorized_keys "${home_directory}/.ssh"
chmod 0700 "${home_directory}/.ssh"
chmod 0600 "${home_directory}/.ssh/authorized_keys"
chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh"

# Disable root SSH login with password
sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
if sshd -t -q; then systemctl restart sshd fi


    
  1. In Authentication, select SSH keys, and choose one or more keys. These keys will give you access to the root user, and the user data script will add these keys to the sudo non-root user and disable password authentication.

The authentication section of the Droplet create page with SSH keys selected

  1. In Add tags, create a tag that matches what you're using the Droplet for, like webserver. You'll use this tag to apply cloud firewalls in the next step.

  2. In Add backups, click Enable backups.

Once you've selected all of the options, click Create Droplet.

Get more detail on creating Droplets.
The following articles have more detailed explanations of this step:

Create Droplets from the DigitalOcean Control Panel and customize the image, plan, authentication method, and quantity of Droplets you want.

Step 3: Create a Cloud Firewall

Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. DigitalOcean Cloud Firewalls are a free, stateful firewall service for Droplets. They block all traffic that isn't expressly permitted by a rule.

You can apply cloud firewalls to individual Droplets by name or to one or more Droplets by tag. Our setup uses tags. When you add a tag to a cloud firewall, any Droplets with that tag are automatically included in the firewall configuration, including new Droplets that you tag during creation.

To start, we recommend the following default firewall rules:

  • Restrict all inbound traffic except for SSH connections to the Droplet on port 22.

  • Allow all outbound traffic to any destination on any port. Many fundamental services rely on outbound communication, and these defaults make it easier to set up a new Droplet without introducing restrictions that could cause expected problems.

In the long term, we recommend organizing firewalls by role, so you can create custom firewalls for your specific use case.

How do I do this?

From the control panel, click Create in the top right to open the create menu, then click Cloud Firewalls to open the firewall create page. Configure the cloud firewall with the following options:

  1. In Name, enter inbound-ssh-only.

  2. In Inbound Rules, leave the single default rule for SSH.

The inbound rules section of the cloud firewall create page

  1. In Outbound Rules, keep the default rules, which permit all traffic to any destination on any port.

The outbound rules section of the cloud firewall create page

  1. In Apply to Droplets, add the tag you created with the new Droplet. When you create additional Droplets, adding the same tag to them will automatically add them to this cloud firewall as well, simplifying scaling in the future.

Once you've selected all of the options, click Create Firewall.

Get more detail on firewall creation and rules.
The following articles have more detailed explanations of this step:

Create a cloud firewall to restrict network traffic to and from specified Droplets.
Create, modify, or delete firewall rules to restrict Droplets’ inbound and outbound traffic based on ports, sources, and destinations.
Add Droplets to a firewall by name or by tag to apply the firewall's rules.

Summary

After you set up one Droplet with our recommended setup, setting up future ones is simpler because you don't need to repeat most of the steps. You only need to complete these steps once:

  • Creating an SSH key pair.
  • Uploading your public key to your DigitalOcean account.
  • Creating the cloud firewall.

To create additional Droplets with the same setup, the only step is choosing its configuration options on the Droplet creation page:

  1. Enable the same features (VPC, IPv6, monitoring, and backups).

  2. Choose your SSH key.

  3. Paste the cloud-config script in user data.

  4. Add the tag for the cloud firewall.

If you use doctl, the DigitalOcean command line interface, you can create a Droplet with all of these options in a single command:

doctl compute droplet create TODO-NAME --tag-names TODO-TAG-NAME \
    --image ubuntu-18-04-x64 --region nyc3 --size s-2vcpu-2gb \
    --ssh-keys TODO-KEY-FINGERPRINT --user-data-file TODO-PATH-TO-FILE \
    --enable-ipv6 --enable-monitoring --enable-private-networking --enable-backups

If you don't already have a DigitalOcean account, sign up now.

Install doctl using the GitHub repository's instructions, which recommends native package managers:

    
        
# On macOS:
brew install doctl

    
    
        
# On Snap-supported systems, like Ubuntu:
sudo snap install doctl
sudo snap connect doctl:ssh-keys :ssh-keys # Enable support for doctl compute ssh
sudo snap connect doctl:kube-config # Enable support for kubectl

    

Then, on the Applications & API page of the control panel, create a Personal access token for the DigitalOcean API with read and write access.

Give doctl access to your DigitalOcean account:

doctl auth init --context examplename

Enter the API token when prompted. Using --context identifies your account by naming the authentication context. You can list and switch between multiple authenticated accounts with doctl auth list and doctl auth switch, respectively.

Get more detail on doctl setup, personal access tokens, and doctl auth commands.

The following articles have more detailed explanations of this step:

doctl is the official DigitalOcean command line interface (CLI).
2 articles
Create a personal access token for use with the DigitalOcean API.

This command allows you to initialize doctl with a token that allows it to query and manage your account details and resources.

You will need an API token, which you can generate in the control panel at https://cloud.digitalocean.com/account/api/tokens.

You can provide a name to this initialization via the --context flag, and then it will be saved as an “authentication context”. Authentication contexts are accessible via doctl auth switch, which re-initializes doctl, or by providing the --context flag when using any doctl command (to specify that auth context for just one command). This enables you to use multiple DigitalOcean accounts with doctl, or tokens that have different authentication scopes.

If the --context flag is not specified, a default authentication context will be created during initialization.

If doctl is never initialized, you will need to specify an API token whenever you use a doctl command via the --access-token flag.

</div>
</div>

List named authentication contexts that you created with doctl auth init.

To switch between the contexts use doctl switch <name>, where <name> is one of the contexts listed.

To create new contexts, see the help for doctl auth init.

</div>
</div>

This command allows you to switch between accounts with authentication contexts you've already created.

To see a list of available authentication contexts, call doctl auth list.

For details on creating an authentication context, see the help for doctl auth init.

</div>
</div>

Step 1: Create and Upload SSH Keys

Our recommended setup uses SSH keys for authentication when logging into Droplets because password-based authentication is less secure. After you upload your SSH public key to your DigitalOcean account, you can add it automatically to any new Droplets you create, which avoids manually adding or configuring them.

How do I do this?

If you don't have an SSH key pair, create one using OpenSSH, which is included on Linux, macOS, and Windows Subsystem for Linux:

ssh-keygen

Your key pair is saved in the location prompted, which by default is ~/.ssh/ on Linux and /Users/your_username/.ssh on Windows and macOS. Copy the contents of your public key, which is named id_rsa.pub by default.

Use doctl compute ssh-key import to upload the key to your account. Specify the public key file and a name for the key.

doctl compute ssh-key import TODO-KEY-NAME --public-key-file ~/.ssh/id_rsa.pub

If you saved your SSH key to a location other than the default, use that path for --public-key-file.

Get more detail on creating SSH keys and doctl ssh-key commands.

The following articles have more detailed explanations of this step:

Use this command to add a new SSH key to your account, using a local public key file.

Note that importing a key to your account will not add it to any Droplets

</div>
</div>

Use this command to add a new SSH key to your account.

Specify a <key-name> for the key, and set the --public-key flag to a string with the contents of the key.

Note that creating a key will not add it to any Droplets.

</div>
</div>
Use OpenSSH to create new SSH keys on MacOS, Linux, or Windows Subsystem for Linux.
Use PuTTY to create SSH keys on Windows systems without Bash.

Step 2: Create and Configure the Droplet

Our recommended setup for Droplets includes enabling several features: VPC (private networking), IPv6, monitoring, and backups.

  • VPC creates a private network interface accessible only by resources within the same account or team. It's free and increases security and decreases bandwidth costs for resources that communicate using it. Enabling it later requires manual network configuration and rebooting the Droplet.

  • IPv6 enables an additional 16 IP addresses for the Droplet. It's free and enabling it later requires manual network configuration and rebooting the Droplet.

  • Monitoring is a metrics visualization service that adds additional graphs to the control panel (like CPU load, RAM usage, and disk usage) and the ability to set up alert policies. It's free and enabling it from the start avoids manual setup and lets you understand your resource usage to make more informed decisions on when and how to scale.

  • Backups are automatic, system-level disk images of Droplets taken weekly. Backups give you a way to revert a Droplet to an older state or recreate Droplets, protecting you against data loss. They add 20% to the monthly cost of the Droplet.

Our setup also uses user data, which is data that CloudInit consumes during the Droplet's first boot to perform tasks or run scripts. The user data script in this tutorial implements two security measures:

  • Disables password-based login to the Droplet, making it accessible with SSH keys only.

  • Creates a sudo non-root user for day-to-day use. The root user has broad privileges that you don't need for many tasks. Using a sudo non-root user decreases the risk of making destructive changes by accident and still lets you escalate privileges when necessary.

How do I do this?

First, save the cloud-config script locally:

    
        
#!/bin/bash
set -euo pipefail

USERNAME=sammy # TODO: Customize the sudo non-root username here

# Create user and immediately expire password to force a change on login
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
passwd --delete "${USERNAME}"
chage --lastday 0 "${USERNAME}"

# Create SSH directory for sudo user and move keys over
home_directory="$(eval echo ~${USERNAME})"
mkdir --parents "${home_directory}/.ssh"
cp /root/.ssh/authorized_keys "${home_directory}/.ssh"
chmod 0700 "${home_directory}/.ssh"
chmod 0600 "${home_directory}/.ssh/authorized_keys"
chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh"

# Disable root SSH login with password
sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
if sshd -t -q; then systemctl restart sshd fi


    

You can customize the username of the sudo non-root user on the emphasized line.

Next, use doctl compute droplet create to create the Droplet.

doctl compute droplet create TODO-NAME --tag-names TODO-TAG-NAME \
    --image ubuntu-18-04-x64 --region nyc3 --size s-2vcpu-2gb \
    --ssh-keys TODO-KEY-FINGERPRINT --user-data-file TODO-PATH-TO-FILE \
    --enable-ipv6 --enable-monitoring --enable-private-networking --enable-backups

Replace the TODO- values with your values. Choose a name for the Droplet and create a tag that matches what you're using the Droplet for, like webserver. You'll use this tag to apply cloud firewalls in the next step. Specify the fingerprint of the SSH key you want to use and the relative path to the saved user data file. You can customize the given datacenter region and Droplet size.

Get more detail on Droplet metadata and doctl compute droplet create.

The following articles have more detailed explanations of this step:

Access metadata about your Droplet by making calls to the metadata service.

Use this command to create a new Droplet. Required values are name, region, size, and image. For example, to create an Ubuntu 20.04 with 1 vCPU and 1 GB of RAM in the NYC1 datacenter region, run:

doctl compute droplet create --image ubuntu-20-04-x64 --size s-1vcpu-1gb --region nyc1 example.com
</div>
</div>

Step 3: Create a Cloud Firewall

Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. DigitalOcean Cloud Firewalls are a free, stateful firewall service for Droplets. They block all traffic that isn't expressly permitted by a rule.

You can apply cloud firewalls to individual Droplets by name or to one or more Droplets by tag. Our setup uses tags. When you add a tag to a cloud firewall, any Droplets with that tag are automatically included in the firewall configuration, including new Droplets that you tag during creation.

To start, we recommend the following default firewall rules:

  • Restrict all inbound traffic except for SSH connections to the Droplet on port 22.

  • Allow all outbound traffic to any destination on any port. Many fundamental services rely on outbound communication, and these defaults make it easier to set up a new Droplet without introducing restrictions that could cause expected problems.

In the long term, we recommend organizing firewalls by role, so you can create custom firewalls for your specific use case.

How do I do this?

Create a firewall named inbound-ssh-only, specifying the tag you used for the new Droplet:

    
        
doctl compute firewall create --name "inbound-ssh-only" \
    --tag-names TODO-TAG-NAME \
    --inbound-rules "protocol:tcp,ports:22,address:0.0.0.0/0" \
    --outbound-rules "protocol:icmp,address:0.0.0.0/0,address:::/0 protocol:tcp,ports:all,address:0.0.0.0/0,address:::/0 protocol:udp,ports:all,address:0.0.0.0/0,address:::/0"

    
Get more detail on doctl compute firewall create.
The following articles have more detailed explanations of this step:

Use this command to create a cloud firewall. This command must contain at least one inbound or outbound access rule.

Summary

After you set up one Droplet with our recommended setup, setting up future ones is simpler because you don't need to repeat most of the steps.

You only need to complete these steps once:

  • Creating an SSH key pair
  • Uploading your public key to your DigitalOcean account
  • Creating the cloud firewall

To create additional Droplets with the same setup, the only step is choosing its configuration options:

  1. Enable the same features (private networking, IPv6, monitoring, and backups).

  2. Choose your SSH key.

  3. Paste the cloud-config script in user data.

  4. Add the tag for the cloud firewall.

doctl compute droplet create TODO-NAME --tag-names TODO-TAG-NAME \
    --image ubuntu-18-04-x64 --region nyc3 --size s-2vcpu-2gb \
    --ssh-keys TODO-KEY-FINGERPRINT --user-data-file TODO-PATH-TO-FILE \
    --enable-ipv6 --enable-monitoring --enable-private-networking --enable-backups

What's Next?

After this initial setup, you can use your Droplet to host a website, scale out from a single Droplet to multiple Droplets with a load balancer, or add object storage to serve assets.