About Keypairs

Keypairs are pairs of SSH keys that enable you to connect to your instances. When launching instances, you need to specify the keypair you want to use, and use its private key to connect to the instance.

Public and Private Keys

A keypair is composed of a public key and a private key.

You can:

  • Generate a 2048-bit RSA keypair using the APIs or Cockpit. For more information, see Creating a Keypair.

  • Import the public key of an existing keypair created by a third-party tool, in one of the following types: RSA (minimum 2048 bits, recommended 4096 bits), ECDSA (minimum and recommended 256 bits), and Ed25519. The following formats can be used: PEM, PKCS8, RFC4716, and OpenSSH. For more information, see Importing a Keypair.

Give your keypairs explicit names so that their purpose is understood more easily. You can for example use names in the application-environment-role format:

  • website-all-bastion

  • website-front-lb

  • website-middle-app

  • website-back-db

In either case, the public key of the keypair is stored by 3DS OUTSCALE, and is only available in the metadata of the instance. However, the private key is never provided to 3DS OUTSCALE. For more information about instances metadata, see Accessing the Metadata and User Data of an Instance.

For Linux instances launched from an official OMI, you can replace the public key of the keypair in the authorized_keys file with the public key of a new keypair. For more information, see Modifying the Keypair of an Instance.

Keypairs and OMIs

All official OMIs use keypairs as their authentication system. When launching an instance from an official OMI, you need to assign a keypair to it:

Non-official OMIs can use any authentication system. When launching an instance, you need to check whether a keypair is required for the specified OMI.

We strongly recommend using only official OMIs or OMIs from the OUTSCALE Marketplace. We cannot guarantee the security of instances launched using OMIs from other sources.

After connecting to an instance for the first time, you can:

  • Replace the assigned keypair. For more information, see Modifying the Keypair of an Instance.

  • Replace the keypair with another authentication system of your choice, for example the Kerberos or Radius protocols.

  • Add one or several other authentication systems apart from the keypair.

Related Pages