SSH keypairs are a way to authenticate to your Linux instance (virtual machine) without using a password using the added security of SSH Public-Key authentication.

Public-Key authentication is both:

  • Secure: Breaking an SSH key requires so much time and computational power that these sorts of attacks are not practical in the real world. SSH keys are much more secure than even very strong passwords.

  • Convenient: Instead of managing per-instance passwords or sharing them across your organization, every person who needs access to your servers gives you their public key. You can then set up granular access control by adding those keys only to the relevant instances. If you need to revoke someone’s access, simply revoking their key prevents them from logging in without affecting other people’s workflow.

Exoscale allows you to automatically provision Linux instances with SSH public keys to use for Public-Key authentication with SSHv2.

Note that while you can have multiple keypairs in your account, the instance creation dialog only allows you to select one keypair. After the instance is created, you can allow additional public keys and set up more detailed access control using traditional means.

Keypairs can be imported both by using the CLI or through the Portal.


The supported SSH key formats are ssh-rsa and ssh-ed25519.

Create a New SSH Keypair

If you do not have an SSH keypair, you can create a new SSH keypair on your local machine with the following command in your terminal:

ssh-keygen -t rsa -b 4096 -C 'a-comment-to-identify-your-key'

You will be asked for a name and location to save your new keypair and for a password to protect it. Keypairs are usually stored in the ~/.ssh folder, and the main keypair for a user is usually called id_rsa.

You can then import the content of your new public key to Exoscale.

Provision an Instance with a Keypair

When creating a new instance, select the keypair you want to associate to that instance. The person holding the corresponding private key can log in via SSH.

Please note that deleting a public key in the Portal does not automatically remove the authorized public key from a previously created instance. If you want to completely revoke a key, you need to do so manually by deleting the key on every instance holding it.

Connecting to Your New Instance

When your new instance has started and is running, you can connect to it via SSH. How to use SSH is out of the scope of this documentation, but assuming you have the following conditions:

  • You have SSH installed on your local machine
  • Your private key is stored in ~/.ssh/id_rsa
  • Permissions of the ~/.ssh folder (700) and of your private key (600) are correct
  • You opened TCP port 22 in your instance’s security groups

you should then be able to connect to your instance with:

ssh root@ip-address-of-your-instance

You may be asked for the password of your private key (not the instance password) if it has been set.

You may also see a warning about the remote host identification: this is expected on a first connection and you can trust the remote.