About Keypairs

Keypairs are pairs of SSH keys that enable you to connect to your instances. When launching instances, you need to specify the keypair you want to use, and use its private key to connect to the instance.

Public and Private Keys

A keypair is composed of a public key and a private key.

You can:

Generate a 2048-bit RSA keypair using the APIs or Cockpit. For more information, see Creating a Keypair.
Import the public key of an existing keypair created by a third-party tool, in one of the following types: RSA (minimum 2048 bits, recommended 4096 bits), ECDSA (minimum and recommended 256 bits), and Ed25519. The following formats can be used: PEM, PKCS8, RFC4716, and OpenSSH. For more information, see Importing a Keypair.

Give your keypairs explicit names so that their purpose is understood more easily. You can for example use names in the application-environment-role format:

website-all-bastion
website-front-lb
website-middle-app
website-back-db

In either case, the public key of the keypair is stored by 3DS OUTSCALE, and is only available in the metadata of the instance. However, the private key is never provided to 3DS OUTSCALE. For more information about instances metadata, see Accessing the Metadata and User Data of an Instance.

For Linux instances launched from an official OMI, you can replace the public key of the keypair in the authorized_keys file with the public key of a new keypair. For more information, see Modifying the Keypair of an Instance.

Keypairs and OMIs

All official OMIs use keypairs as their authentication system. When launching an instance from an official OMI, you need to assign a keypair to it:

For Linux instances, the instance gets the public key of the keypair thanks to its metadata and associates it to the root user by inserting it in its home directory, in the authorized_keys file. For more information, see Accessing a Linux Instance from a Linux or macOS or Accessing a Linux Instance from a Windows OS.
For Windows instances, the keypair enables you to get and decrypt the Administrator password at first launch. For more information, see Accessing a Windows Instance.

Non-official OMIs can use any authentication system. When launching an instance, you need to check whether a keypair is required for the specified OMI.

We strongly recommend using only official OMIs or OMIs from the OUTSCALE Marketplace. We cannot guarantee the security of instances launched using OMIs from other sources.

After connecting to an instance for the first time, you can:

Replace the assigned keypair. For more information, see Modifying the Keypair of an Instance.
Replace the keypair with another authentication system of your choice, for example the Kerberos or Radius protocols.
Add one or several other authentication systems apart from the keypair.

Related Pages