Articles

Manage SSH Keys for DigitalOcean Droplet Access (2026)

April 16, 2026 4 min read

SSH keys are how you securely log into your DigitalOcean Droplets. Instead of a password, you use a pair of cryptographic keys: a private key (which you keep secret) and a public key (which you give to DigitalOcean). When you try to log in, your Droplet uses the public key to verify that you possess the corresponding private key.

Here’s a Droplet setup that’s already running and needs SSH key management.

# Example of a Droplet that's already running and accessible via SSH
# This is just for illustration; you'd be SSHing into your actual Droplet.
ssh root@your_droplet_ip

Let’s say you’ve just created a new Droplet and want to add a new SSH key to it, or perhaps you need to remove an old one.

Adding a New SSH Key to a Droplet

The most straightforward way to manage SSH keys for your Droplets is through the DigitalOcean control panel.

  1. Navigate to Security: In your DigitalOcean dashboard, go to "Security" in the left-hand navigation menu.
  2. SSH Keys Tab: Click on the "SSH Keys" tab.
  3. Add SSH Key: Click the "Add SSH Key" button.
  4. Paste Your Public Key: You’ll be prompted to enter a name for your key and paste your public SSH key. Your public key typically looks something like this: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... user@hostname.
    • Where to find your public key: If you don’t have an SSH key pair yet, you can generate one on your local machine using ssh-keygen -t rsa -b 4096. This will create two files: id_rsa (your private key) and id_rsa.pub (your public key). You’ll want to copy the contents of id_rsa.pub.
    • Example pasting:
      Name: MyLaptopKey
Public Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKv...me_example_key
  5. Confirm: Click "Save SSH Key."

Once added to your account, this key will be available to be associated with any Droplets you create going forward.

Associating an SSH Key with a Droplet (New Droplets)

When you create a new Droplet, you’ll have the option to select from your existing SSH keys.

  1. Create Droplet: Start the Droplet creation process.
  2. Authentication: In the "Choose a datacenter region" step, scroll down to the "Authentication" section.
  3. SSH Keys: Select "SSH Keys" and then choose the key(s) you’ve previously added to your DigitalOcean account.
  4. Create: Proceed with creating your Droplet.

Your new Droplet will be provisioned with the selected public key already authorized for access.

Associating an SSH Key with an Existing Droplet

If you need to add an SSH key to a Droplet that’s already running, you can do so by editing the Droplet’s settings.

  1. Go to Droplets: Navigate to the "Droplets" section in your dashboard.
  2. Select Droplet: Click on the Droplet you want to modify.
  3. Networking Tab: Go to the "Networking" tab for that Droplet.
  4. Manage SSH Keys: Under the "Manage SSH Keys" section, click "Manage."
  5. Add Key: You’ll see a list of keys associated with this Droplet. Click "Add SSH Key" and select the key you want to add from your account’s library.

This will append the public key to the authorized_keys file for the root user (and any other users that might be configured for SSH access) on your Droplet.

Removing an SSH Key from a Droplet

To remove a key from a Droplet:

  1. Follow steps 1-4 from "Associating an SSH Key with an Existing Droplet."
  2. Remove Key: Next to the SSH key you wish to remove, click the "Remove" button.
  3. Confirm: A confirmation dialog will appear. Click "Remove" again.

This action will remove the public key from the authorized_keys file on the Droplet.

The authorized_keys File

Under the hood, DigitalOcean manages the authorized_keys file on your Droplet. This file, located at /root/.ssh/authorized_keys (or ~/.ssh/authorized_keys for other users), contains a list of public keys. When you SSH into the Droplet, the SSH server reads this file to determine which public keys are allowed to grant access.

For instance, if you were to SSH into a Droplet and inspect this file, you might see:

cat /root/.ssh/authorized_keys

Output could look like:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1... my_local_laptop_key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2... old_work_machine_key

When you add or remove keys via the DigitalOcean control panel, it’s programmatically updating this file on your Droplet.

Important Considerations

  • Private Key Security: Never share your private key. If your private key is compromised, anyone who has it can log into your Droplets.
  • Key Pairs: Always use a key pair. SSH keys are designed to work in pairs. You need both the private and public key for authentication.
  • Root vs. User: By default, keys managed through DigitalOcean are added to the root user’s authorized_keys. If you create a Droplet with a different user (e.g., ubuntu), the keys will be added to that user’s ~/.ssh/authorized_keys.
  • Local SSH Config: You can also manage your local SSH client’s configuration (~/.ssh/config) to specify which private key to use for which hosts, making it easier to connect to multiple Droplets without manually specifying keys each time.

The next step in managing access is often setting up user accounts with specific permissions rather than relying solely on root access.

Want structured learning?

Take the full Digitalocean course →