SSH key pairs are used to securely authenticate with provisioned VMs without passwords.
The deployer uses SSH keys for:
- Secure access to provisioned instances
- Running Ansible playbooks for configuration
- Executing remote commands via the test command
If you don't already have SSH keys:
# Generate a new SSH key pair (Ed25519 recommended)
ssh-keygen -t ed25519 -C "torrust-deployer" -f ~/.ssh/torrust_deployer
# Set proper permissions
chmod 600 ~/.ssh/torrust_deployer
chmod 644 ~/.ssh/torrust_deployer.pubFor RSA keys (if Ed25519 is not supported):
ssh-keygen -t rsa -b 4096 -C "torrust-deployer" -f ~/.ssh/torrust_deployerSSH requires strict file permissions:
# Private key: owner read/write only
chmod 600 ~/.ssh/your_private_key
# Public key: owner read/write, others read
chmod 644 ~/.ssh/your_private_key.pub
# SSH directory
chmod 700 ~/.sshReference your keys in the environment configuration:
{
"ssh_credentials": {
"private_key_path": "/home/youruser/.ssh/torrust_deployer",
"public_key_path": "/home/youruser/.ssh/torrust_deployer.pub",
"username": "torrust",
"port": 22
}
}For local development and testing, the repository includes test keys in fixtures/:
fixtures/testing_rsa # Private key
fixtures/testing_rsa.pub # Public key
⚠️ Warning: Never use test keys for production deployments.
- Use unique keys per project - Don't reuse keys across different projects
- Never commit private keys - Keep private keys out of version control
- Use passphrases for production - Add passphrase protection for production keys
- Ed25519 over RSA - Prefer Ed25519 keys for better security and performance
# Check key permissions
ls -la ~/.ssh/your_private_key
# Should show: -rw------- (600)
chmod 600 ~/.ssh/your_private_keyIf you need SSH agent forwarding:
# Add key to SSH agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/your_private_key