How to generate an SSH key pair

Reviewed on April 01, 2025

SSH keys allow you to securely connect to your Instances, Elastic Metal servers, and Mac minis without using a password. An SSH key consists of a key pair, which has two elements:

An identification key (also known as a private key), which you must keep securely on the computer you want to connect from.
A public key is uploaded to the Scaleway console, where it is displayed with a customizable name and a hash of its value, known as a fingerprint, to make it more identifiable. The public key is transferred to your Instance during the boot process for authentication.

You can generate the SSH key pair on your local machine. The process will depend on your operating system.

We recommend you use either:

an Ed25519 SSH key pair, to connect to your Linux-based Instances.
an RSA SSH key pair, to connect to your Windows-based Instances.

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console
Owner status or IAM permissions allowing you to perform actions in the intended Organization

How to generate an SSH key pair

How to generate an Ed25519 SSH key pair

Ed25519 SSH key pairs allow you to connect to your Linux-based Instances from a macOS, Linux or Windows machine.

On macOS and Linux, you can generate the SSH key pair directly from the terminal.

Open a terminal.
Run the following command to generate a new key:
```
ssh-keygen -t ed25519 -C "login@example.com"
```
Important
It is strongly recommended to use Ed25519 for increased security and performance. If you cannot use Ed25519 keys, you can create an RSA4096 key as a fallback option:
ssh-keygen -o -b 4096 -C "login@example.com"
When prompted to enter a file path in which to save the key, either specify a path or press Enter to accept the default location (~/.ssh/id_ed25519).
```
Enter file in which to save the key (~/.ssh/id_ed25519):
```
Enter a passphrase when prompted. This step is optional but recommended for increased security. If you do not want to set a passphrase, press Enter directly.
```
Enter passphrase (empty for no passphrase):
```
Confirm the passphrase by entering it again when prompted, and press Enter:
```
Enter same passphrase again:
```
The key pair will be generated in the specified filepath. The key pair consists of:
- The public key, named id_ed25519.pub
- The private key, named id_ed25519
Important
Ensure that the private key file (<key_name>) is kept secure. Do not share it with unauthorized parties. You can set appropriate permissions on the file to restrict access using the following command:
chmod 600 <key_name>

Display the content of the public key with the following command and copy it:

cat ~/.ssh/id_ed25519.pub

An output similar to the following displays:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPZxtCMs5sIfsMWpq7SHuqFFpBtSTmFqXWOYdf6dX4i login@example.com

Copy the content of the public key displayed, as you will need this in the next step.

On Windows, you can use the third-party application PuTTYgen to generate an SSH key pair.

Download and install PuTTY on your local computer. The PuTTYgen application is automatically installed along with the main PuTTY application.
Launch PuTTYgen by double-clicking the application icon.
Select EdDSA and click the Generate button. You can also add a passphrase before generating the key to increase security.
Move the mouse around the blank area as instructed to generate randomness.

The public and private key are generated, and the following screen will display:
Complete the steps on the screen to finish:
- Fill in the Key comment field with a name to help you identify this key pair.
- Click the Save public key button and save it in the folder of your choice.
- Click the Save private key button to save it in the same folder.
  Important
  Ensure that the private key file (<key_name>) is kept secure. Do not share it with unauthorized parties.
- Select the content of the public key (the sequence of characters under "Public key for pasting into OpenSSH authorized_keys file") and copy it, as you will need this in the next step.

How to generate a RSA SSH key pair

RSA SSH key pairs allow you to connect to your Windows-based Instances from a macOS, Linux or Windows machine. RSA (Rivest-Shamir-Adleman) is a prevalent asymmetric cryptographic algorithm used for secure data transmission.

Note

We recommend you use Ed25519 keys for SSH connections to your Linux Instances.

Open a terminal or command prompt on your local machine. This could be Terminal on macOS/Linux or the Command Prompt/PowerShell on Windows.
Run the following command to generate the RSA key pair:
```
ssh-keygen -t rsa -b 4096 -C "login@example.com" -o -a 100
```
- When prompted, enter the file in which to save the key and press Enter. If you want to save it to the default location, press Enter without typing a filename.
- Enter a passphrase and press Enter. For added security, choose a strong passphrase.
- Enter the same passphrase again to confirm and press Enter.
This command will generate two files:
- <key_name>: The private key file (e.g., id_rsa)
- <key_name>.pub: The public key file (e.g., id_rsa.pub)
Important
Ensure that the private key file (<key_name>) is kept secure. Do not share it with unauthorized parties. You can set appropriate permissions on the file to restrict access using the following command:
chmod 600 <key_name>

How to upload the public SSH key to the Scaleway interface

You must upload the content of the public part of the SSH key pair you just generated to the Scaleway interface. This is then transferred to your Instance during the boot process. You can then connect and authenticate from your local machine, where your private key is stored, to the remote Instance, where the public key can be found.

Go to your Project dashboard.

Tip
Check if you are in the right Project before proceeding. You can check your current Organization and Project in the top-left corner of the Scaleway console. If you wish to change your Project, click the current Project name in the breadcrumb navigation and select a different existing Project in the drop-down. Click Create Project to create a new one.
Click + Add SSH key. A popup displays.
Enter a name for your SSH key, paste the content of the public key copied earlier into the Public key box, then click Add SSH key.

You can now connect to your Instances via SSH.

Troubleshooting

If you have any difficulties connecting to an Instance after uploading a new public SSH key to your Project, try the following:

If you cannot connect to your Instance at all via SSH, reboot your Instance from the console and try again.
If you can connect to your Instance using a previously uploaded SSH key but not the new one, go ahead and connect to your Instance with the old key. Once connected, run the scw-fetch-ssh-keys --upgrade command, which launches a script on your Instance to update your SSH keys. You can then check that the new key has been added to the authorized_keys file (~/.ssh/authorized_keys). Note that this command works only for Instances.

For further information, refer to the dedicated SSH connection troubleshooting documentation.