Generating/uploading a custom SSH key for instances; Connect to Linux instances by using custom SSH keys; Intended Audience. This Lab is intended for: Google Cloud Associate Cloud Engineer (ACE) certification candidates; Individuals that are new to Google Cloud or Google Compute Engine (GCE) and want to learn more about how to interact with a Linux instance; GCP users interested in using self.
You can create an instance using the Console or API. When you create an instance, it is automatically attached to a virtual network interface card (VNIC) in the cloud network's subnet and given a private IP address from the subnet's CIDR. You can either let the IP address be automatically assigned, or specify a particular address of your choice. The private IP address lets instances within the cloud network communicate with each other. If you've set up the cloud network for DNS, they can instead use fully qualified domain names (FQDNs).
If the subnet is public, you can optionally assign the instance a public IP address. A public IP address is required to communicate with the instance over the internet, and to establish a Secure Shell (SSH) or Remote Desktop Protocol (RDP) connection to the instance from outside the cloud network.
Tip
If this is your first time creating an instance, consider following the Getting Started Tutorial for a guided workflow through the steps required to create an instance.
If this is your first time creating an instance, consider following the Getting Started Tutorial for a guided workflow through the steps required to create an instance.
Note
Partner images and pre-built Oracle enterprise images are not available in Government Cloud realms.
Partner images and pre-built Oracle enterprise images are not available in Government Cloud realms.
Warning
Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud InfrastructureConsole, API, or CLI.
Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud InfrastructureConsole, API, or CLI.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment you should work in.
Tip
When you create an instance, several other resources are involved, such as an image, a cloud network, and a subnet. Those other resources can be in the same compartment with the instance or in other compartments. You must have the required level of access to each of the compartments involved in order to launch the instance. This is also true when you attach a volume to an instance; they don't have to be in the same compartment, but if they're not, you need the required level of access to each of the compartments.
When you create an instance, several other resources are involved, such as an image, a cloud network, and a subnet. Those other resources can be in the same compartment with the instance or in other compartments. You must have the required level of access to each of the compartments involved in order to launch the instance. This is also true when you attach a volume to an instance; they don't have to be in the same compartment, but if they're not, you need the required level of access to each of the compartments.
For administrators: The simplest policy to enable users to create instances is listed in Let users launch Compute instances. It gives the specified group general access to managing instances and images, along with the required level of access to attach existing block volumes to the instances. If the group needs to create block volumes, they'll need the ability to manage block volumes (see Let volume admins manage block volumes, backups, and volume groups).
Partner Image Catalog
If the group needs to create instances based on partner images, they'll need the manage permission for app-catalog-listing to create subscriptions to images from the Partner Image catalog. See Let users list and subscribe to images from the Partner Image catalog.
If you're new to policies, see Getting Started with Policies and Common Policies. For reference material about writing policies for instances, cloud networks, or other Core Services API resources, see Details for the Core Services.
Recommended Networking Launch Types
When you launch a virtual machine (VM) instance, by default, Oracle Cloud Infrastructure chooses a recommended networking type for the VNIC based on the instance shape and OS image. The networking interface handles functions such as disk input/output and network communication. The following options are available:
- Paravirtualized networking: For general purpose workloads such as enterprise applications, microservices, and small databases. Paravirtualized networking also provides increased flexibility to use the same image across different hardware platforms.
- Hardware-assisted (SR-IOV) networking: Single root input/output virtualization. For low-latency workloads such as video streaming, real-time applications, and large or clustered databases. Hardware-assisted (SR-IOV) networking uses the VFIO driver framework.
Important
Windows Server 2019 images only support paravirtualized networking. SR-IOV networking is not supported with Windows Server 2019 images.
Windows Server 2019 images only support paravirtualized networking. SR-IOV networking is not supported with Windows Server 2019 images.
The following table lists the default and supported networking types for VM shapes.
Shape Type | Default Networking Type | Supported Networking Types |
---|---|---|
VM.Standard1 | SR-IOV | Paravirtualized, SR-IOV |
VM.Standard2 | Paravirtualized | Paravirtualized, SR-IOV |
VM.Standard.E2 | Paravirtualized | Paravirtualized only |
VM.DenseIO1 | SR-IOV | Paravirtualized, SR-IOV |
VM.DenseIO2 | Paravirtualized | Paravirtualized, SR-IOV |
VM.GPU2 | SR-IOV | Paravirtualized, SR-IOV |
VM.GPU3 | SR-IOV | Paravirtualized, SR-IOV |
To use paravirtualized networking, you must also use an image that supports paravirtualized networking. Paravirtualized networking is supported on these Oracle-provided images:
- Oracle Linux 7, Oracle Linux 6: Images published in March 2019 or later.
- CentOS 7, CentOS 6: Images published in July 2019 or later.
- Ubuntu 18.04, Ubuntu 16.04: Images published in March 2019 or later.
- Windows Server 2019: All images.
- Windows Server 2016: Images published in August 2019 or later.
SR-IOV networking is supported on all Oracle-provided images.
You can create an instance that uses a specific networking type instead of the default. However, depending on compatibility between the shape and image that you choose, the instance might not launch properly. You can test whether it succeeded by connecting to the instance. If the connection fails, the networking type is not supported. Relaunch the instance using a supported networking type.
Using the Console
To create a Linux instancePrerequisites
To create a Linux instance, you'll need:
- A virtual cloud network (VCN) to launch the instance in. For information about setting up cloud networks, see Overview of Networking.
- The public key, in OpenSSH format, from the key pair that you plan to use for connecting to the instance via SSH. The following sample public key is abbreviated for readability:For information about generating a key pair, see Managing Key Pairs on Linux Instances.
Creating a Linux instance
- Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances. Then, choose a Compartment you have permission to work in.
- Click Create Instance.
- On the Create Compute Instance page, you specify the resources to use for your instance. By default, your instance launches in the current compartment, and the resources you choose also come from the current compartment.Specify the following:
- Name: The name for the instance. You can add or change the name later. The name doesn't need to be unique, because an Oracle Cloud Identifier (OCID) uniquely identifies the instance.
- Image or operating system: The source of the image to use for booting the instance. When you click Change Image, the Browse All Images page opens with the operating system or image source options. The following options are available:
- Platform Images: Pre-built images for Oracle Cloud Infrastructure. See Oracle-Provided Images for a list of these images.
- Oracle Images: Pre-built Oracle enterprise images and solutions enabled for Oracle Cloud Infrastructure.
- Partner Images: Trusted third-party images published by Oracle partners. Click the down arrow in the row for an image to view and change the image build, or to view additional details about the image. For more information, see Overview of Marketplace and Working with Listings.
- Custom Images: Custom images created or imported into your Oracle Cloud Infrastructure environment. See Managing Custom Images for more information.
- Boot Volumes: Boot volumes available for creating a new instance in your Oracle Cloud Infrastructure environment. See Boot Volumes for more information.
- Image OCID: Create an instance using a specific version of an image by providing the image OCID . See Oracle-Provided Image Release Notes to determine the image OCID for Oracle-provided images.
- Availability domain: The availability domain in which you want to run the instance.
- Shape: Click Change Shape. Then, do the following:
- In the Instance type section, select Virtual Machine or Bare Metal Machine.
- In the Shape type section, select the type of shape for the instance. A shape is a template that determines the number of CPUs, amount of memory, and other resources allocated to a newly created instance. The following options are available:
- Standard: Standard shapes with a fixed number of OCPUs. Includes the Always Free VM.Standard.E2.1.Micro shape. Choose a shape, and then click Select Shape.
- Specialty: Dense I/O shapes, GPU shapes, and HPC shapes. Choose a shape, and then click Select Shape.
- Configure networking: The network details for the instance. In this section, you configure the following:
- Virtual cloud network compartment: The compartment containing the network in which to create the instance.
- Virtual cloud network: The network in which to create the instance.
- Subnet compartment: The compartment containing a subnet within the cloud network to attach the instance to.
- Subnet: A subnet within the cloud network to attach the instance to. The subnets are either public or private. Private means the instances in that subnet can't have public IP addresses. For more information, see Access to the Internet. Subnets can also be either AD-specific or regional (regional ones have 'regional' after the name). We recommend using regional subnets. For more information, see About Regional Subnets.
- Use network security groups to control traffic: Select this check box to add the instance's primary VNIC to at least one network security group (NSG) of your choice. NSGs have security rules that apply only to the VNICs in that NSG. For more information, see Network Security Groups.
- If the subnet is public, you can optionally assign the instance a public IP address. A public IP address makes the instance accessible from the internet. Select the Assign a public IP address option. For more information, see Access to the Internet.
- Boot volume: Size and encryption options for the instance's boot volume.
- To specify a custom size for the boot volume, select the Specify a custom boot volume size check box. Then, enter a custom size from 50 GB to 32 TB. The specified size must be larger than the default boot volume size for the selected image. See Custom Boot Volume Sizes for more information.
- For VM instances, you can optionally select the Use in-transit encryption check box. See Block Volume Encryption for more information. If you are using your own Vault encryption key for the boot volume, then this key is also used for in-transit encryption. Otherwise, the Oracle-provided encryption key is used.
- Boot volumes are encrypted by default, but you can optionally encrypt the data in this volume using your own Vault service encryption key. To use the Vault service for your encryption needs, select the Encrypt this volume with a key that you manage check box. Then, select the Vault Compartment and Vault that contain the master encryption key you want to use. Also select the Master Encryption Key Compartment and Master Encryption Key. For more information about encryption, see Overview of Vault. If you enable this option, this key is used for both data at rest encryption and in-transit encryption.
- The Block Volume elastic performance feature enables you to change the volume performance for boot volumes, but this can only be modified after the instance has been launched. When the instance is created, the boot volume is configured with the default volume performance set to Balanced. See Changing the Performance of a Volume for how to modify this setting. See Block Volume Elastic Performance for more information about this feature.
- Add SSH keys: The public key (.pub) portion of the key pair that you want to use for SSH access to the instance. Browse to the key file that you want to upload, or drag and drop the file into the box. To provide multiple keys, press and hold down the Command key (on Mac) or the CTRL key (on Windows) while selecting files.
- Show Advanced Options: Advanced networking and management options.On the Management tab, configure the following:
- Choose a compartment for your instance: The compartment in which you want to launch the instance.
- Choose a fault domain: The fault domain to use for the instance. If you do not specify the fault domain, the system selects one for you. The fault domain cannot be changed after you create the instance. If you want to use a different fault domain, you must terminate the instance and launch a new instance in the preferred fault domain. For more information, see Fault Domains and Best Practices for Your Compute Instance.
- Initialization Script:User data to be used by cloud-init to run custom scripts or provide custom cloud-init configuration. Browse to the file that you want to upload, or drag and drop the file into the box. The file or script does not need to be base64-encoded, because the Console performs this encoding when the information is submitted. For information about how to take advantage of user data, see the cloud-init documentation.
- Enable monitoring: Select this check box to collect metrics for this instance. When enabled, the Oracle Cloud Agent software on the instance emits metrics for this instance to the Monitoring service using the oci_computeagent metric namespace.This option is available for supported images only. Legacy versions of supported images may also require installation of the Oracle Cloud Agent software. For more information, see Enabling Monitoring for Compute Instances.
- Use Oracle Cloud Agent to manage this instance: Select this check box to let Oracle Cloud Agent automate operational tasks for the instance, such as installing patches. For more information, see OS Management.Important
Oracle Autonomous Linux instances cannot be managed by the OS Management service. See this known issue for more information. - Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
On the Networking tab, configure the following:- Private IP Address: Optional. An available private IP address of your choice from the subnet's CIDR. If you don't specify a value, the private IP address is automatically assigned.
- Hostname: Optional. A hostname to be used for DNS within the cloud network. Available only if the VCN and subnet both have DNS labels. For more information, see DNS in Your Virtual Cloud Network.
- Launch Options: Optional. The networking launch type. Available only for VMs. For more information, see Recommended Networking Launch Types.
On the Image tab, you can optionally change the image build. By default, the latest build of the image is used to create the instance. You can select an older build of the image that is compatible with the shape you selected. Only compatible image builds are displayed in the list. You must select a shape before you can change the image build.On the Host tab, you can optionally choose to launch the instance on a dedicated virtual machine host. This enables you to run the instance in isolation, so that it is not running on shared infrastructure. To do this, select the Launch the virtual machine on a dedicated host check box, and then select a dedicated virtual machine host from the drop-down list. Before you can place an instance on a dedicated virtual machine host, you must create a dedicated virtual machine host in the same availability domain and fault domain as the instance. You can only place an instance on a dedicated virtual machine host at the time that you create the instance. For more information, see Dedicated Virtual Machine Hosts. - Click Create.To track the progress of the operation, you can monitor the associated work request. For more information, see Using the Console to View Work Requests.
After the instance is provisioned, details about it appear in the instance list. To view additional details, including IP addresses, click the instance name.
When the instance is fully provisioned and running, you can connect to it using SSH as described in Connecting to an Instance.
You also can attach a volume to the instance, provided the volume is in the same availability domain. For background information about volumes, see Overview of Block Volume.
To create a Windows instancePrerequisites
To create a Windows instance, you'll need:
- A virtual cloud network (VCN) to launch the instance in. For information about setting up VCNs, see Overview of Networking.
- A VCN security rule that enables Remote Desktop Protocol (RDP) access so that you can connect to your instance. Specifically, you need a stateful ingress rule for TCP traffic on destination port 3389 from source 0.0.0.0/0 and any source port. For more information, see Security Rules. You can implement this security rule in either a network security group that you will add this Windows instance to, or a security list that is used by the instance's subnet.To enable RDP access
- Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
- Click the cloud network you're interested in.
- To add the rule to a network security group that the instance belongs to:
- Under Resources, click Network Security Groups. Then click the network security group that you're interested in.
- Click Add Rules.
- Enter the following values for the rule:
- Stateless: Leave the check box cleared.
- Source Type: CIDR
- Source CIDR: 0.0.0.0/0
- IP Protocol: RDP (TCP/3389)
- Source Port Range: All
- Destination Port Range: 3389
- Description: An optional description of the rule.
- When done, click Add.
- Or, to add the rule to a security list that is used by the instance's subnet:
- Under Resources, click Security Lists. Then click the security list you're interested in.
- Click Add Ingress Rules.
- Enter the following values for the rule:
- Stateless: Leave the check box cleared.
- Source Type: CIDR
- Source CIDR: 0.0.0.0/0
- IP Protocol: RDP (TCP/3389)
- Source Port Range: All
- Destination Port Range: 3389
- Description: An optional description of the rule.
- When done, click Add Ingress Rules.
Creating a Windows instance
- Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances. Then, choose a Compartment you have permission to work in.
- Click Create Instance.
- On the Create Compute Instance page, you specify the resources to use for the instance. By default, the instance launches in the current compartment, and the resources that you choose also come from the current compartment.Specify the following:
- Name: The name for the instance. You can add or change the name later. The name doesn't need to be unique, because an Oracle Cloud Identifier (OCID) uniquely identifies the instance.Important
Use only these ASCII characters in the instance name: uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9), and hyphens (-). See this known issue for more information. - Image or operating system: The source of the image to use for booting the instance. When you click Change Image Source, the Browse All Images page opens with the operating system or image source options. The following options are available:
- Platform Images: Pre-built images for Oracle Cloud Infrastructure. See Oracle-Provided Images for a list of these images.
- Oracle Images: Pre-built Oracle enterprise images and solutions enabled for Oracle Cloud Infrastructure.
- Partner Images: Trusted third-party images published by Oracle partners. Click the down arrow in the row for an image to view and change the image build, or to view additional details about the image. For more information, see Overview of Marketplace and Working with Listings.
- Custom Images:Custom images created or imported into your Oracle Cloud Infrastructure environment. See Managing Custom Images for more information.
- Boot Volumes: Boot volumes available for creating a new instance in your Oracle Cloud Infrastructure environment. See Boot Volumes for more information.
- Image OCID: Create an instance using a specific version of an image by providing the image OCID . See Oracle-Provided Image Release Notes to determine the image OCID for Oracle-provided images.
- Availability domain: The availability domain in which you want to run the instance.
- Shape: Click Change Shape. Then, do the following:
- In the Instance type section, select Virtual Machine or Bare Metal Machine.
- In the Shape type section, select the type of shape for the instance. A shape is a template that determines the number of CPUs, amount of memory, and other resources allocated to a newly created instance. The following options are available:
- Standard: Standard shapes with a fixed number of OCPUs. Includes the Always Free VM.Standard.E2.1.Micro shape. Choose a shape, and then click Select Shape.
- Specialty: Dense I/O shapes, GPU shapes, and HPC shapes. Choose a shape, and then click Select Shape.
- Configure networking: The network details for the instance. In this section, you configure the following:
- Virtual cloud network compartment: The compartment containing the network in which to create the instance.
- Virtual cloud network: The network in which to create the instance.
- Subnet compartment: The compartment containing a subnet within the cloud network to attach the instance to.
- Subnet: A subnet within the cloud network to attach the instance to. The subnets are either public or private. Private means the instances in that subnet can't have public IP addresses. For more information, see Access to the Internet. Subnets can also be either AD-specific or regional (regional ones have 'regional' after the name). We recommend using regional subnets. For more information, see About Regional Subnets.
- Use network security groups to control traffic: Select this check box to add the instance's primary VNIC to at least one network security group (NSG) of your choice. NSGs have security rules that apply only to the VNICs in that NSG. For more information, see Network Security Groups.
- If the subnet is public, you can optionally assign the instance a public IP address. A public IP address makes the instance accessible from the internet. Select the Assign a public IP address option. For more information, see Access to the Internet.
- Boot volume: Size and encryption options for the instance's boot volume.
- To specify a custom size for the boot volume, select the Specify a custom boot volume size check box. Then, enter a custom size from 50 GB (256 GB for Oracle-provided Windows images) to 32 TB. The specified size must be larger than the selected image's default boot volume size. See Custom Boot Volume Sizes for more information.
- For VM instances, you can optionally select the Use in-transit encryption check box. See Block Volume Encryption for more information. If you are using your own Vault encryption key for the boot volume, then this key is also used for in-transit encryption. Otherwise, the Oracle-provided encryption key is used.
- Boot volumes are encrypted by default, but you can optionally encrypt the data in this volume using your own Vault service encryption key. To use the Vault service for your encryption needs, select the Encrypt this volume with a key that you manage check box. Then, select the Vault Compartment and Vault that contain the master encryption key you want to use. Also select the Master Encryption Key Compartment and Master Encryption Key. For more information about encryption, see Overview of Vault.
- The Block Volume elastic performance feature enables you to change the volume performance for boot volumes, but this can only be modified after the instance has been launched. When the instance is created, the boot volume is configured with the default volume performance set to Balanced. See Changing the Performance of a Volume for how to modify this setting. See Block Volume Elastic Performance for more information about this feature.
- Add SSH keys: An SSH key pair is only required for Linux instances. For Windows instances, you connect to the instance using a password. An initial password will be provided when you finish launching the instance.
- Show Advanced Options: Advanced networking and management options.On the Management tab, configure the following:
- Choose a compartment for your instance: The compartment in which you want to launch the instance.
- Choose a fault domain: The fault domain to use for the instance. If you do not specify the fault domain, the system selects one for you. The fault domain cannot be changed after you create the instance. If you want to use a different fault domain, you must terminate the instance and launch a new instance in the preferred fault domain. For more information, see Fault Domains and Best Practices for Your Compute Instance.
- Initialization Script: User data to be used by cloudbase-init to run custom scripts or provide custom cloudbase-init configuration. Browse to the file that you want to upload, or drag and drop the file into the box. The file or script does not need to be base64-encoded, because the Console performs this encoding when the information is submitted. For information about how to take advantage of user data, see the cloudbase-init documentation.Warning
Do not include anything in the script that could trigger a reboot, because this could impact the instance launch and cause it to fail. Any actions requiring a reboot should only be performed once the instance state is RUNNING. - Enable monitoring: Select this check box to collect metrics for this instance. When enabled, the Oracle Cloud Agent software on the instance emits metrics for this instance to the Monitoring service using the oci_computeagent metric namespace.This option is available for supported images only. Legacy versions of supported images may also require installation of the Oracle Cloud Agent software. For more information, see Enabling Monitoring for Compute Instances.
- Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
On the Networking tab, configure the following:- Private IP address: Optional. An available private IP address of your choice from the subnet's CIDR. If you don't specify a value, the private IP address is automatically assigned.
- Hostname: Optional. A hostname to be used for DNS within the cloud network. Available only if the VCN and subnet both have DNS labels. For more information, see DNS in Your Virtual Cloud Network.
- Launch Options: Optional. The networking launch type. Available only for VMs. For more information, see Recommended Networking Launch Types.
On the Image tab, you can optionally change the image build. By default, the latest build of the image is used to create the instance. You can select an older build of the image that is compatible with the shape you selected. Only compatible image builds are displayed in the list. You must select a shape before you can change the image build.On the Host tab, you can optionally choose to launch the instance on a dedicated virtual machine host. This enables you to run the instance in isolation, so that it is not running on shared infrastructure. To do this, select the Launch the virtual machine on a dedicated host check box, and then select a dedicated virtual machine host from the list. Before you can place an instance on a dedicated virtual machine host, you must create a dedicated virtual machine host in the same availability domain and fault domain as the instance. You can only place an instance on a dedicated virtual machine host at the time you create the instance. For more information, see Dedicated Virtual Machine Hosts. - Click Create.To track the progress of the operation, you can monitor the associated work request. For more information, see Using the Console to View Work Requests.
After the instance is provisioned, details about it appear in the instance list. To view additional details, including IP addresses and the initial Windows password, click the instance name.
When the instance is fully provisioned and running, you can connect to it using Remote Desktop as described in Connecting to an Instance.
You also can attach a volume to the instance, provided the volume is in the same availability domain. For background information about volumes, see Overview of Block Volume.
Managing Tags for an Instance
You can apply tags to your resources, such as instances, to help you organize them according to your business needs. You can apply tags when you create an instance, or you can update the instance later with the tags that you want.
To manage tags for an instance- Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
- Click the instance that you're interested in.
- Click the Tags tab to view or edit the existing tags. Or click Apply tag(s) to add new ones.
For more information, see Resource Tags.
Using the API
For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.
Use these API operations to manage instances:
Oracle Cloud Infrastructure enables you to launch instances from images published by Oracle partners from the Partner Image catalog. Use these APIs to work with the Partner Image catalog listings:
An SSH key is a form of authentication in the SSH protocol. It is similar to a password, but allows for authentication without entering in a password or any manual input. SSH keys generally speaking are more secure, and convenient than password authentication.
Command Line
If you currently have access to SSH on your server, you can generate SSH keys on the command line using the
ssh-keygen
utility which is installed by default on our servers. Run it on your server with no options, or arguments to generate a 2048-bit RSA key pair (which is plenty secure).You will be prompted to select a file for the key pair. The default directory for SSH keys is
~/.ssh
with the private key named id_rsa
and the public key named id_rsa.pub
. By using the default file names, the SSH client will be able to automatically locate the keys during authentication so it is strongly recommended to not change them. You can use the default by pressing the Enter key.If
/home/USER/.ssh/id_rsa
or a key of the name you chose already exists, you will be prompted to overwrite the keys. If you do overwrite the existing keys, you will not be able to use them to authenticate anymore.After you have selected the file for the key pair, you be will be prompted to enter a passphrase to encrypt private key file. Encrypting the private key with a passphrase is optional, but it will improve security the keys. If you enter a passphrase you will have to provide each it time you use the key. You can press the Enter key to not use a passphrase; we strongly recommend the use of a passphrase with SSH keys.
A public and private key will now be generated.
WHM
You can generate SSH key pairs for
root
in WHM >> Home Security Center >> Manage root's SSH Keys. Click Generate a New Key to get started.
There are several fields on this page: Key Name, Key Password, Key Type, and Key Size.
The default Key Name is
id_rsa
. Keys are generated in /root/.ssh/
so the default key name would create a private key in /root/.ssh/id_rsa
, and a public key in /root/.ssh/id_rsa.pub
. Using the default name will allow SSH clients to automatically locate the keys so it is strongly recommend you use the default name (simply leave the field blank or fill it with id_rsa
).The Key Password encrypts the private key file using a password to add an extra layer of security. The password must be provided each time the key is used for authentication to decrypt the private key. The Password Strength field indicates how strong your password is. 0 indicates a very weak password, and 100 indicates a very strong password. Click Password Generator to have a strong password generated for you.
Key Type and Key Size are RSA and 2048 by default, and are secure enough for most purposes so these can be left alone.
Click Generate Key to generate the SSH key pair. WHM will then display the location of the key.
PuTTY
PuTTY is an open Windows SSH client. You will need to have the PuTTYgen utility installed to generate an SSH key pair. PuTTYgen is included in Windows installer on the Download PuTTY site, but you can download it separately if you installed PuTTY without its extra utilities. See Connect using Putty to a Linux Server to learn more about PuTTY.
Open PuTTYgen.
The Parameters at the bottom can be adjusted to affect how secure the key is, but the default options are plenty secure for most purposes.
If you're satisfied with the parameters, click Generate in Actions to generate the key pair.
You may be asked to 'generate some randomness by moving the mouse over the blank area' to generate the key. The randomness is used to generate your keys securely, and make it difficult to reproduce them.
Once the key is generated, you will see the public key in PuTTYgen.
The Key passphrase field sets a password used to decrypt the private the key. This field is optional, and the private key will not be encrypted if it is omitted.Using a passphrase increases the security of your SSH keys, and we strongly recommend setting one.
Be sure to save both the public and private keys on your local machine so they can be used by PuTTY for authentication in the future by clicking the Save public key and Save private key buttons.
If you don't use a passphrase, it will prompt you to confirm before allowing you to save the private key. The private key will be saved as a
.ppk
file. The public key isn't given an extension by default, but .pub
is a common extension for public key files. It can be saved as a .txt
file as well as the public key file only stores the public key in plain text.Command Line
If you currently have access to SSH on your server, you can upload the key over the command line.
Retrieve the contents of the public key. If the key was created in the default location, this can be done by outputting the contents of
~/.ssh/id_rsa.pub
.The output will look similar to the following:
Open the (and create if it doesn't exist)
~/.ssh/authorized_keys
file using a text editor such as nano
, pico
, or vim
.If you had to create the
~/.ssh/
directory, or the authorized_keys
file, you need to verify the permissions are correct, or you won't be able to login.Paste the public key at the bottom of the file, and then save and close the file.
Alternatively, you can append the public key to
~/.ssh/authorized_keys
with a single command.You can use the
cat
command if the public key is stored in a file.If the public key is not stored as a file on the server, you can use the
echo
command.Be sure to include the entire public key in quotes after
echo
.Once the public key is added to the
authorized_keys
file, you should be able to login using your SSH keys.WHM
Generating Uploading A Custom Ssh Key For Instances Windows 10
You can import an existing SSH key for
root
in WHM >> Home Security Center >> Manage root's SSH Keys. Click Import Key.
The next page has a few fields to fill in.
You need to name the SSH key in the Choose a name for this key field. The default key name is
id_rsa
. Using the default name will allow SSH clients to automatically locate the keys so it is strongly recommend you use the default name (simply leave the field blank or fill it with id_rsa
).If you are importing a PPK (PuTTYgen key) file, enter its password (if applicable) in the Private key passphrase text box.
Paste the public key into the appropriate box, but do not paste the private key into the box; private keys should always remain on the servers that generated them.
Click Import.
WHM will display the name of the keys imported, and you should now be able to authenticate over SSH using the key.
The default name for SSH key pairs is
id_rsa
, and that name will allow an SSH client to locate the key automatically. When an SSH key pair doesn't use the default name, you will need to specify the name of key used.