Monday, 5 August 2019

Adding a new SSH key to an existing Digital Ocean droplet

  • devops

Given that you have SSH access to your Digital Ocean droplet (via the web console or via the command line), you may want to allow SSH access for another laptop.

Digital Ocean allows you to attach a new SSH key to your account under Account > Security > SSH Keys, but once you have created a droplet there is no way of attaching any new SSH key you add here as an authorized key on the existing droplet.

If you are working on a laptop which isn't your primary workstation for SSH-ing into the droplet (e.g. this is the workstation you used to setup the droplet originally), then you need to follow the steps outlined in the section "Connecting from a new workstation", otherwise follow "Registering a new SSH key from your primary workstation"

Registering a new SSH key from your primary workstation

The registry of permitted public keys on a droplet is held at ~/.ssh/authorized_keys which should look something like the below:

root@mydroplet:~# cat ~/.ssh/authorized_keys 
ssh-rsa [KEY] [IDENTIFIER]
ssh-rsa [KEY] [IDENTIFIER]

If you are working on a laptop which has SSH access to the droplet, then you can add a new SSH key remotely using sshcommand:

$ cat ~/.ssh/ | ssh root@[DROPLETIP] "sudo sshcommand acl-add dokku mynewlaptop"

Dokku also has an authorized_keys registry file at a different location in the Dokku home folder: /home/dokku/.ssh/authorized_keys - the public key for your new workstation will also need to be registered in this file for Dokku deployment to work (e.g. when running git push dokku master from your local dev rig).

If you are using Dokku for deployment then the sshcommand call above should have also registered your new public key in Dokku's version of authorized_keys.

You can double check this by running cat on the /home/dokku/.ssh/authorized_keys file after you've added the new SSH key above:

root@mydroplet:~# cat /home/dokku/.ssh/authorized_keys 
command="FINGERPRINT=SHA256:4G/[REDACTED] NAME=\"work laptop\" `cat /home/dokku/.sshcommand` $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding [PUBLIC KEY]
command="FINGERPRINT=SHA256:4G/[REDACTED] NAME=\"home laptop\" `cat /home/dokku/.sshcommand` $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding [PUBLIC KEY]

Connecting from a new workstation

If you haven't got access to your primary workstation (if you're at work or on holiday for example), then the process is a little more complex. You can login to your Dokku droplet by navigating to the Droplets page on the Digital Ocean dashboard and clicking More > Access Console on the relevant droplet.

You will be prompted to log in the console using your root SSH password. The user name will be root when you are prompted. If you don't know what your root password is, you can request for a new one to be sent to you over email by clicking on the droplet and going to the "Access" configuration page and clicking "Reset root password".

The web version of the SSH console is O-K. I had some problems with copying in the output of my call to cat ~/.ssh/ locally (the string was all garbled when you copied from one window to another), so the guide below is an alternative hacky approach to adding your SSH key using pastebin as a text file host.

In your local machine's terminal, copy your public key:

$ cat ~/.ssh/


Head over to and paste the public key and create a paste (setting the paste exposure setting to Unlisted). Once created, grab the raw paste URL which should look something like

Head back over to the droplet web console and create a temporary txt file to store your SSH key:

root@mydroplet:~# touch blah.txt

cURL the raw paste text file, piping it to a file called blah.txt:

root@mydroplet:~# curl > blah.txt

Append the contents of the text file blah.txt preceded by a new line to your ~/.ssh/authorized_keys file:

root@mydroplet:~# cat <(echo) blah.txt >>  ~/.ssh/authorized_keys 

Remove the temporary text file:

root@mydroplet:~# rm blah.txt

Once this has been done, you should be able to log in to your droplet via SSH from your new machine:

$ ssh root@[DROPLETIP]