DigitalOceanTutorial2 min read

How Do I Set Up SSH Keys for DigitalOcean Droplets?

Generate an SSH key pair, add it to your DigitalOcean account, and connect to Droplets securely without passwords.

Server racks and cloud infrastructure

Why SSH Keys Matter

Password-based SSH login is vulnerable to brute-force attacks. Automated bots scan every new Droplet within minutes of creation. SSH keys use public-key cryptography — only someone with your private key can authenticate, which makes unauthorized access far harder.

Step 1 — Generate a Key Pair Locally

On your local machine (Windows with WSL, macOS, or Linux), run:

ssh-keygen -t ed25519 -C "you@example.com"

Press Enter to accept the default path (~/.ssh/id_ed25519). Optionally set a passphrase for an extra layer of security. This creates two files:

  • id_ed25519 — your private key (never share this)
  • id_ed25519.pub — your public key (safe to upload anywhere)

Step 2 — Add the Key to DigitalOcean

Copy your public key to the clipboard:

cat ~/.ssh/id_ed25519.pub

In the DigitalOcean control panel, go to Settings → Security → SSH Keys and click Add SSH Key. Paste the entire line (starting with ssh-ed25519), give it a recognizable name like MacBook-2026, and save.

Step 3 — Attach Keys When Creating Droplets

When you create a new Droplet, check the box next to your SSH key under Authentication. DigitalOcean injects the key into /root/.ssh/authorized_keys automatically — no manual setup on the server.

Step 4 — Connect to Your Droplet

ssh root@YOUR_DROPLET_IP

If you set a passphrase, you will be prompted once. To avoid re-entering it every session, start the SSH agent:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

Step 5 — Add Keys to Existing Droplets

For Droplets created before you added a key, copy it manually:

ssh-copy-id root@YOUR_DROPLET_IP

Or paste the public key into /root/.ssh/authorized_keys on the server.

Harden SSH After Key Setup

Edit /etc/ssh/sshd_config on the Droplet:

PasswordAuthentication no
PermitRootLogin prohibit-password

Restart SSH: systemctl restart sshd. Test your key login in a second terminal before closing your current session.

Quick Reference

  • ssh-keygen -t ed25519 — generate keys
  • DigitalOcean → Settings → SSH Keys — upload public key
  • ssh root@IP — connect
  • Disable password auth after confirming key login works
More DigitalOcean tutorialsRead the blog →