Create SSH keys

Stay organized with collections Save and categorize content based on your preferences.

This document describes how to create an SSH key pair for Compute Engine virtual machine (VM) instances.

Before you begin

Create an SSH key pair

If you connect to VMs using the Google Cloud console or the Google Cloud CLI, Compute Engine creates SSH keys on your behalf. For more information on how Compute Engine configures and stores keys, see About SSH connections.

If you connect to VMs using third party tools or OpenSSH, you need to add a key to your VM before you can connect. If you don't have an SSH key, you must create one. VMs accept the key formats listed in the sshd_config file.

Linux and macOS

On Linux and macOS workstations, use the ssh-keygen utility to create a new SSH key pair. The following example creates an RSA key pair.

Open a terminal and use the ssh-keygen command with the -C flag to create a new SSH key pair.

ssh-keygen -t rsa -f ~/.ssh/KEY_FILENAME -C USERNAME -b 2048

Replace the following:

  • KEY_FILENAME: the name for your SSH key file.

    For example, a filename of my-ssh-key generates a private key file named my-ssh-key and a public key file named my-ssh-key.pub.

  • USERNAME: your username on the VM. For example, cloudysanfrancisco, or cloudysanfrancisco_gmail_com.

    For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.

    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.

ssh-keygen saves your private key file to ~/.ssh/KEY_FILENAME and your public key file to ~/.ssh/KEY_FILENAME.pub.

A public key for the user cloudysanfrancisco looks similar to the following:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF... cloudysanfrancisco

Windows 10 or later

On workstations with Windows version 10 or later, use the ssh-keygen utility to create a new SSH key pair. The following example creates an RSA key pair.

Open Command Prompt and use the ssh-keygen command with the -C flag to create a new SSH key pair.

ssh-keygen -t rsa -f C:\Users\WINDOWS_USER\.ssh\KEY_FILENAME -C USERNAME -b 2048

Replace the following:

  • WINDOWS_USER: your username on the Windows machine.

  • KEY_FILENAME: the name for your SSH key file.

    For example, a filename of my-ssh-key generates a private key file named my-ssh-key and a public key file named my-ssh-key.pub.

  • USERNAME: your username on the VM. For example, cloudysanfrancisco, or cloudysanfrancisco_gmail_com.

    For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.

    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.

ssh-keygen saves your private key file to C:\Users\WINDOWS_USER\.ssh\KEY_FILENAME and your public key file to C:\Users\WINDOWS_USER\.ssh\KEY_FILENAME.pub.

A public key for the user cloudysanfrancisco looks similar to the following:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF... cloudysanfrancisco

Windows 8 or earlier

On workstations with Windows version 8 or earlier, use the PuTTYgen tool to create a new SSH key pair. The following example creates an RSA key pair.

  1. Download puttygen.exe if you haven't already.

  2. Open PuTTYgen.

  3. Under Parameters specify the following:

    • Type of key to generate: RSA
    • Number of bits in a generated key: 2048 or more
  4. Click Generate and follow the on-screen instructions.

    The tool displays the public key value.

  5. In the Key comment section, replace the pre-populated text with your username. For example, cloudysanfrancisco, or cloudysanfrancisco_gmail_com.

    For Linux VMs, the Key comment can't be root, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.

    For Windows VMs that use Active Directory (AD), the Key comment must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a Key comment of example\cloudysanfrancisco.

  6. Optional: enter a Key passphrase to password-protect your key.

  7. Click Save private key to choose a location to save the private key to.

    PuTTYgen writes the private key to a file with a .ppk extension.

  8. Click Save public key to choose a location to save your public key to. Keep the PuTTYgen window open.

  9. Copy the text from the Public key for pasting into OpenSSH authorized_keys file field.

  10. Open the public key file. The public key has a format similar to the following:

    ---- BEGIN SSH2 PUBLIC KEY ----
    Comment: "USERNAME"
    KEY_VALUE
    ---- END SSH2 PUBLIC KEY ----
    
  11. Replace the entire contents of the public key file with the value you copied from the Public key for pasting into OpenSSH authorized_keys file field, so that your public key file matches the following format:

    KEY_VALUE USERNAME
    

A public key for the user cloudysanfrancisco looks similar to the following:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF... cloudysanfrancisco

What's next?