Skip to content

SSH Keys

SSH keys are one of the most secure ways to access a web server, since it requires authentication beyond a simple password. While each new Equinix Metal™ server has a root password assigned, it is removed from the customer portal after 24 hours. You can either add a new root password to the server, or you can use SSH to log in.

SSH Keys are generated on your local machine, generating a public key and a private key. When you place your public key on your Equinix Metal server, you can connect to it from the local machine containing the private key.

Adding Your SSH Key to Your Account

If you already have SSH keys set up on your local machine, you can add your public key to your Equinix Metal account.

SSH Key management is in your Personal Settings, on the SSH Keys tab. Click + Add Key to add a new SSH Key to your account.

Personal Keys vs Project Keys

Equinix Metal has two types of SSH Keys, personal keys and project keys.

A personal key will be included on all new servers in the projects that you own, or of which you are a collaborator.

You can also choose to create and manage a key that is specific to a single project, which will be included by default on servers deployed into a particular project. This 2nd option is useful if you don’t want to use a personal key that you leverage in lots of places on a shared box.

Adding SSH Keys with the API

You can add a public key to your account by sending a POST request to the /ssh-keys endpoint of the Equinix Metal API.

curl -X POST \
-H "Content-Type: application/json" \
-H "X-Auth-Token: <API_TOKEN>" \
"https://api.equinix.com/metal/v1/ssh-keys" \
-d '{
    "label": "my machine ssh key",
    "key": "ssh-rsa....."
} '

You can add a public key to a project by sending a POST request to the /projects/{id}/ssh-keys endpoint.

curl -X POST \
-H "Content-Type: application/json" \
-H "X-Auth-Token: <API_TOKEN>" \
"https://api.equinix.com/metal/v1/projects/{id}/ssh-keys" \
-d '{
    "label": "my machine ssh key",
    "key": "ssh-rsa....."
} '

Adding SSH Keys with the CLI

You can also add a public key to your account with the ssh-key create CLI command.

packet ssh-key create --label "my machine ssh key" --key "ssh-rsa....."

Getting Your Key(s) on Your Server(s)

We use our cloud-init service to add all the selected keys (Personal + Project specific + Collaborator) onto each new server at provision time. So as soon as your server is deployed, you can access it via SSH.

Any keys you (or your collaborators) add after a server is provisioned won’t be available on the machine automatically. If you add a key that you want to be able to use to access your existing servers, you need to use the option to associate the new key with specific servers when it is created. This option is also only available through the Equinix Metal console.

After the new key is added in the console, you need to force add it to your server(s). Use our SOS service to login with (root + pw) and manually add the new key on the authorized_keys file.

Managing SSH Keys

You can see the list of SSH Keys on your account in the Equinix Metal console from your Personal Settings, on the SSH Keys tab. You can see a list of the SSH Keys on a project from the Project Settings page, on the SSH Keys tab.

You can list the SSH keys on your account from the API with a GET request to the /ssh-keys endpoint, or you can list all of the SSH on a project with a GET request to the /projects/{id}/ssh-keys endpoint.

If you need to see what SSH keys are on a specific server, you can see them from the Equinix Metal console in the server's detail page, on the SSH Keys tab.

You can also get a server's SSH keys from the API by sending a GET request to the /devices/{id}/ssh-keys endpoint.

Deleting SSH Keys

You can remove SSH keys from your account in the Equinix Metal console from your Personal Settings, on the SSH Keys tab, and from a project from the Project Settings page, on the SSH Keys tab.

In the API, SSH keys can be removed from your account by sending a DELETE to the /ssh-keys/{id} endpoint. The {id} parameter is the UUID of the SSH key, which you might have to retrieve from getting a list of your keys from /ssh-keys.

Keys removed from your account and projects are not automatically deleted from servers. You have to remove it manually from the server itself.