IBM Cloud Docs
Managing SSH keys

Managing SSH keys

To access IBM Cloud® Virtual Servers for Virtual Private Cloud instances, you must have an SSH key available to use. You can, create, update, and delete SSH keys in IBM Cloud console, CLI, and API.

Managing keys by using the IBM Cloud console or CLI has no effect on keys in instances that are already created. (For an existing Linux instance, you can edit keys directly in the ~/.ssh/ directory of the instance.)

IBM Cloud® Virtual Private Cloud supports two different types of public SSH keys.

  • RSA
  • Ed25519

You can generate new RSA key pairs using the UI. Pre-existing RSA and Ed25519 SSH keys can be uploaded. Ed25519 can be used only if the operating system supports this key type. Ed25519 can't be used with Windows or VMware images.

Before you begin

To create a virtual server instance, you must create or upload an SSH key and have it available so that you can connect to your instance after it is provisioned.

Managing SSH keys with IBM Cloud console

When you provision a virtual server, you can create a new SSH key, select from an available list of existing SSH keys or upload a new one.

  1. In IBM Cloud console, go to Navigation Menu iconmenu icon > VPC Infrastructure VPC icon > Compute > SSH keys. Any existing SSH keys are displayed.

  2. On the SSH keys for VPC tab, click the Actions icon More Actions icon for an SSH key and select from the available options.

    Table 1. SSH key actions
    Action Description
    Rename After you update an existing SSH key, the key is renamed immediately.
    Delete After you remove an SSH key, it can no longer be used when you provision an instance or when you perform an OS reload on an existing instance. However, the key is still available on any instances that you previously provisioned with it, and you can use it to log in.

    You are shown a list of the available regions for your specific resource group.

Managing SSH keys by using the CLI

You can also manage your SSH keys by using the CLI.

Make sure that the IBM Cloud CLI vpc-infrastructure plug-in is installed. For more information, see IBM Cloud CLI for VPC.

Table 1. SSH key actions
Action Command What happens next
Create SSH key. ibmcloud is key-create After you create an SSH key, it is added to the list of keys.
View key details. ibmcloud is key You can view the name of the key and the ID of the key.
List keys. ibmcloud is keys You can view all of your existing SSH keys.
Update key. ibmcloud is key-update After you update an existing key, the key is renamed immediately.
Delete key. ibmcloud is key-delete After you remove an SSH key, it can no longer be used when you provision an instance or when you perform an OS reload on an existing instance. However, the key is still available on any instances that you previously provisioned with it, and you can use it to log in.

Managing SSH keys by using the API

You can also manage your SSH keys by using the API. For more information about the $vpc_api_endpoint and $iam_token variables in the following examples, see the Authentication and Endpoint URLs sections in Virtual Private Cloud API Introduction.

Managing SSH keys by using Terraform

You can also manage your SSH keys by using Terraform. See ibm_is_ssh_keys for more information.

Listing all your SSH keys by using the UI

To list all your SSH keys, complete the following steps.

  1. In IBM Cloud console, go to Navigation Menu iconmenu icon > VPC Infrastructure VPC icon > Compute > SSH keys.
  2. Any existing SSH keys are displayed.

Listing all your SSH keys by using the CLI

To view all of your existing SSH keys, use the ibmcloud is keys command.

Use the --all-resource-groups option to list the SSH keys for all available resource groups. Optionally, you can filter the list to include only SSH keys for a specific resource group. Specify the resource group by using the RESOURCE_GROUP_ID or RESOURCE_GROUP_NAME variable. For more information, see ibmcloud is keys.

ibmcloud is keys [--all-resource-groups]

Listing all your SSH keys by using the API

To list all SSH keys by using the API, use List all keys.

curl -X GET "$vpc_api_endpoint/v1/keys?version=2023-03-30&generation=2" -H "Authorization: Bearer $iam_token"

Listing all your SSH keys by using Terraform

To list all SSH keys by using Terraform, use ibm_is_ssh_keys.

data "ibm_is_ssh_keys" keys {}

Viewing the details of your SSH key by using the UI

You can view the following details of an SSH key.

  • Name
  • Resource group
  • Fingerprint
  • Type
  • Length
  • Created date (Local)

To view details for an SSH key, complete the following steps.

  1. In IBM Cloud console, go to Navigation Menu iconmenu icon > VPC Infrastructure VPC icon > Compute > SSH keys.
  2. On the SSH keys for VPC page, a list of all existing SSH keys is displayed.
  3. From the Actions menu, you can Rename or Delete the SSH key.

Viewing the details of your SSH key by using the CLI

You can view the name of the key and the ID of the key by using the ibmcloud is key command. Specify the name of the SSH key by using the KEY variable. For more information, see ibmcloud is key in the VPC CLI reference guide.

ibmcloud is key KEY

Viewing details of your SSH key by using the API

To retrieve information for a specific key by using the API, use Retrieve a key.

For the $id variable, specify the name of the SSH key for which you want to display details.

curl -X GET "$vpc_api_endpoint/v1/keys/$id?version=2023-03-30&generation=2" -H "Authorization: Bearer $iam_token"

Viewing details of your SSH key by using Terraform

To retrieve information for a specific key by using Terraform, use ibm_is_ssh_keys.

For the name variable, specify the name of the SSH key for which you want to display details.

data "ibm_is_ssh_key" "example" {
  name = "example-ssh-key"
}

Creating an SSH key by using the UI

Use the following steps to create a new SSH key. You can create only RSH SSH key types. To use an Ed25519 SSH key, that SSH key must be imported. For more information, see For more information, see Importing an SSH key by using the UI.

  1. In IBM Cloud console, go to Navigation Menu iconmenu icon > VPC Infrastructure VPC icon > Compute > SSH keys.

  2. Click Create and enter the information that is in Table 1.

    Table 1. Creating an SSH key for VPC selections
    Field Value
    Location Locations are composed of regions (specific geographic areas) and zones (fault-tolerant data centers within a region). Select the location where you want to create your SSH key.
    Name A name is required for your SSH key.
    Resource group Select a resource group for the SSH key.
    Tags You can assign a user tag to the SSH key so that you can easily filter a list of SSH keys. For more information, see Working with tags.
    Access management tags Access management tags help you apply flexible access policies on specific resources. For more information, see the Controlling access to resources by using tags UI tutorial.
    SSH key type The default value is rsa.You can generate new RSA key pairs using the UI. Pre-existing RSA and Ed25519 SSH keys can be uploaded. Ed25519 can be used only if the operating system supports this key type. Ed25519 can't be used with Windows or VMware images.
  3. Select Generate a key pair for me.

  4. Optionally, click Get sample API call to get an API code with all your SSH key information that you can copy.

  5. Click Create.

Your new SSH key is now displayed in the list of SSH keys on the UI.

Importing an SSH key by using the UI

You can import an SSH key in two ways. You can upload a public key from a local file. Or you can copy and paste your public key information into the UI.

Use the following steps to import an SSH key from a local file.

  1. In IBM Cloud console, go to Navigation Menu iconmenu icon > VPC Infrastructure VPC icon > Compute > SSH keys.

  2. Click Create and enter the information that is in Table 1.

    Table 1. Creating an SSH key for VPC selections
    Field Value
    Location Locations are composed of regions (specific geographic areas) and zones (fault-tolerant data centers within a region). Select the location where you want to create your SSH key.
    Name A name is required for your SSH key.
    Resource group Select a resource group for the SSH key.
    Tags You can assign a user tag to the SSH key so that you can easily filter a list of SSH keys. For more information, see Working with tags.
    Access management tags Access management tags help you apply flexible access policies on specific resources. For more information, see the Controlling access to resources by using tags UI tutorial.
    SSH key type Select a key type for the SSH key. The default value is rsa. The ed25519 SSH key type can be used only to create instances if the operating system supports this key type. This key type can't be used with Windows or VMware images.
  3. Select Provide existing public key.

  4. Click Upload public key.

  5. Select the public key file and click Open. The file extension, .pub, typically indicates which file contains the public key.

  6. Optionally, click Get sample API call to get an API code with all your SSH key information that you can copy.

  7. Click Create.

If you copy an SSH key from a terminal to add the key to your VPC, sometimes extra line breaks are introduced which cause a parsing error. To avoid this issue, first paste your SSH key into a text editor and remove any extra line breaks. Then, copy the SSH key from text editor and paste it into the VPC UI, CLI, or API.

Your imported SSH key is now displayed in the list of SSH keys on the UI.

Importing your SSH key by using the CLI

To import an SSH key by using the CLI, use the ibmcloud is key-create command. The file that you import is id_rsa.pub or id_ed25519.pub, which contains your public key. You must specify the name or ID of the SSH key by using the KEY_NAME variable and the public SSH key you are importing by using the KEY variable. Specify the SSH key type with the --key-type option. Optionally, you can specify a resource group when you create the SSH key. Specify the resource group by using either the RESOURCE_GROUP_ID or RESOURCE_GROUP_NAME variable. See ibmcloud is key-create in the VPC CLI reference guide.

ibmcloud is key-create KEY_NAME (KEY | @KEY_FILE) [--resource-group-id RESOURCE_GROUP_ID | --resource-group-name RESOURCE_GROUP_NAME] [--key-type KEY_TYPE]

Importing your SSH key by using the API

To import a new SSH key by using the API, use the Create a key. The file that you import is id_rsa.pub or id_ed25519.pub, which contains your public key. You can't create a brand-new SSH key by using the API. However, you can create a new SSH key by using the UI and from the UI, generate the API code snippet that you need that includes the new SSH key. For more information, see Creating an SSH key by using the UI.

For the name property, specify the name of the SSH key. For public_key property, enter in the public key information. For the type property, specify either rsa or ed25519 for the SSH key type.

The Ed25519 SSH key type can be used only to create instances if the operating system supports this key type. This key type can't be used with Windows or VMware images.

curl -X POST "$vpc_api_endpoint/v1/keys?version=2023-03-30&generation=2" -H "Authorization: Bearer $iam_token" -d '{
      "name":"my-key-1",
      "public_key":"AAAAB3NzaC1yc2EAAAADAQABAAABAQDDGe50Bxa5T5NDddrrtbx2Y4/VGbiCgXqnBsYToIUKoFSHTQl5IX3PasGnneKanhcLwWz5M5MoCRvhxTp66NKzIfAz7r+FX9rxgR+ZgcM253YAqOVeIpOU408simDZKriTlN8kYsXL7P34tsWuAJf4MgZtJAQxous/2byetpdCv8ddnT4X3ltOg9w+LqSCPYfNivqH00Eh7S1Ldz7I8aw5WOp5a+sQFP/RbwfpwHp+ny7DfeIOokcuI42tJkoBn7UsLTVpCSmXr2EDRlSWe/1M/iHNRBzaT3CK0+SwZWd2AEjePxSnWKNGIEUJDlUYp7hKhiQcgT5ZAnWU121oc5En",
      "type":"rsa"
    }'

Importing your SSH key by using Terraform

To import a new SSH key by using Terraform, use ibm_is_ssh_keys.

To import a new SSH key, complete the following steps.

  1. Create a resource block type of ibm_is_ssh_key with the required values. For the name attribute, specify the dummy name of the SSH key. For public_key attribute, enter in the dummy public key information.

    resource "ibm_is_ssh_key" "example_sshkey" {
      name = "my-key"
      public_key = "public-key"
    }
    
  2. After creating the resource, run the following Terraform command to import the SSH key.

    terraform import ibm_is_ssh_key.example_sshkey d7bec597-4726-451f-8a63-e62e6f19c32c
    
  3. Improve the configuration to match the state. Copy over the resource block details to avoid replacing the resource block.

    resource "ibm_is_ssh_key" "example_sshkey" {
       name       = "example-sshkey"
       public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCKVmnMOlHKcZK8tpt3MP1lqOLAcqcJzhsvJcjscgVERRN7/9484SOBJ3HSKxxNG5JN8owAjy5f9yYwcUg+JaUVuytn5Pv3aeYROHGGg+5G346xaq3DAwX6Y5ykr2fvjObgncQBnuU5KHWCECO/4h8uWuwh/kfniXPVjFToc+gnkqA+3RKpAecZhFXwfalQ9mMuYGFxn+fwn8cYEApsJbsEmb0iJwPiZ5hjFC8wREuiTlhPHDgkBLOiycd20op2nXzDbHfCHInquEe/gYxEitALONxm0swBOwJZwlTDOB7C6y2dzlrtxr1L59m7pCkWI4EtTRLvleehBoj3u7jB4usR"
       type = "rsa"
    }
    

Updating your SSH key by using the CLI

You can update an existing key by using the ibmcloud is key-update command. After you update an existing key, the key is renamed immediately. For more information, see ibmcloud is key-delete. You must specify both the current SSH key name by using the KEY variable and the new SSH key name by using the NEW_NAME variable in the --name option.

ibmcloud is key-update KEY [--name NEW_NAME]

Updating your SSH key by using the API

To update an existing SSH key by using the API, use Update a key. After you update an existing key, the key is renamed immediately.

For the $id variable, specify the current name of the SSH key. For the name property, specify the new name for the SSH key.

curl -X PATCH "$vpc_api_endpoint/v1/keys/$id?version=2023-03-30&generation=2" -H "Authorization: Bearer $iam_token" -d '{ "name": "my-key-1-updated" }'

Updating your SSH key by using Terraform

To update an existing SSH key by using the Terraform, use ibm_is_ssh_keys. After you update an existing key, the key is renamed immediately.

  1. Update the SSH key resource block. For the name property, specify the new name for the SSH key.

       resource "ibm_is_ssh_key" "example_sshkey" {
       name       = "new-example-sshkey"
       public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCKVmnMOlHKcZK8tpt3MP1lqOLAcqcJzhsvJcjscgVERRN7/9484SOBJ3HSKxxNG5JN8owAjy5f9yYwcUg+JaUVuytn5Pv3aeYROHGGg+5G346xaq3DAwX6Y5ykr2fvjObgncQBnuU5KHWCECO/4h8uWuwh/kfniXPVjFToc+gnkqA+3RKpAecZhFXwfalQ9mMuYGFxn+fwn8cYEApsJbsEmb0iJwPiZ5hjFC8wREuiTlhPHDgkBLOiycd20op2nXzDbHfCHInquEe/gYxEitALONxm0swBOwJZwlTDOB7C6y2dzlrtxr1L59m7pCkWI4EtTRLvleehBoj3u7jB4usR"
       type = "rsa"
    }
    
  2. Run terraform apply to update the resource with the new name.

Deleting your SSH key by using the CLI

To delete one or more SSH keys by using the CLI, use the ibmcloud is key-delete command. For more information, see ibmcloud is key-delete. Specify name of each SSH key that you delete by using the KEY variable.

ibmcloud is key-delete (KEY1 KEY2 ...)

Deleting your SSH key by using the API

To delete one or more SSH keys by using the API, use Delete a key.

For the $id variable, specify the name of the SSH key you want to delete.

curl -X DELETE "$vpc_api_endpoint/v1/keys/$id?version=2023-03-30&generation=2" -H "Authorization: Bearer $iam_token"

Deleting your SSH key by using Terraform

To delete your SSH key by using the Terraform, use ibm_is_ssh_keys.

For the example_sshkey attribute, replace this with the SSH key you want to delete.

terraform destroy --target ibm_is_ssh_keys.example_sshkey