# SSH Keys

SSH keys provide secure, passwordless authentication to your TeraSwitch servers. Managing keys at the project level allows you to easily deploy consistent access across your infrastructure.

### Accessing SSH Keys

1. Go to **Settings**
2. Select **Project** scope
3. Click **SSH Keys** tab

### SSH Keys List

The keys table displays:

| Column               | Description            |
| -------------------- | ---------------------- |
| Name                 | Key identifier         |
| SSH Key              | Public key (truncated) |
| Created (Local Time) | When key was added     |
| Actions              | Management options     |

### Adding SSH Keys

#### Generate a Key Pair

If you don't have an SSH key, generate one:

```bash
# ED25519 (recommended)
ssh-keygen -t ed25519 -C "your_email@example.com"

# RSA (wider compatibility)
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
```

This creates:

* Private key: `~/.ssh/id_ed25519` (keep secret!)
* Public key: `~/.ssh/id_ed25519.pub` (upload this)

#### Add to TeraSwitch

1. Click **Add SSH key**
2. Enter a **Name**:
   * Descriptive identifier
   * Example: "laptop-key" or "ci-deploy-key"
3. Paste your **SSH Key** (public key):

   ```
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxx... your_email@example.com
   ```
4. Click **Add**

#### Key Format

Public keys should start with:

* `ssh-ed25519` (ED25519)
* `ssh-rsa` (RSA)
* `ecdsa-sha2-nistp256` (ECDSA)

### Using SSH Keys

#### During Deployment

When creating metal or cloud instances:

1. Select **SSH Keys** for authentication
2. Check the keys to install
3. Selected keys are added to authorized\_keys

#### Connecting

```bash
ssh ubuntu@your-server-ip
```

SSH automatically uses your private key if it matches an authorized key on the server.

#### Specifying a Key

If you have multiple keys:

```bash
ssh -i ~/.ssh/your_private_key ubuntu@your-server-ip
```

### Managing Keys

#### Viewing Keys

The list shows all keys in the current project. Each key can be used when deploying new instances.

#### Removing Keys

To remove a key:

1. Find the key
2. Click **Actions** > **Delete**
3. Confirm deletion

{% hint style="warning" %}
Removing a key from TeraSwitch does NOT remove it from existing servers. You must manually remove it from each server's `~/.ssh/authorized_keys`.
{% endhint %}

\## Best Practices

#### Key Management

* **Descriptive Names**: Include device and owner
* **One Key Per Device**: Don't share private keys
* **Regular Rotation**: Replace keys periodically
* **Remove Unused**: Delete keys for departed team members

#### Security

* **Protect Private Keys**: Never share or commit to git
* **Use Passphrases**: Add password protection to private keys
* **Secure File Permissions**: `chmod 600 ~/.ssh/id_*`
* **Use SSH Agent**: Avoid typing passphrases repeatedly

#### Organization

Create separate keys for:

* Different team members
* Different devices (laptop, desktop)
* CI/CD pipelines
* Automation scripts

### SSH Config

Simplify connections with `~/.ssh/config`:

```
Host teraswitch-prod
    HostName 192.0.2.10
    User ubuntu
    IdentityFile ~/.ssh/teraswitch_prod

Host teraswitch-staging
    HostName 192.0.2.20
    User ubuntu
    IdentityFile ~/.ssh/teraswitch_staging
```

Then connect with:

```bash
ssh teraswitch-prod
```

### Troubleshooting

#### Permission Denied

Check:

1. Key is added to TeraSwitch project
2. Key was selected during deployment
3. Using correct username (usually `ubuntu`)
4. Private key permissions: `chmod 600 ~/.ssh/id_*`

#### Key Not Found

Verify:

1. Public key in correct format
2. Key exists in project
3. Instance deployed after key was added

#### Adding Keys to Existing Servers

For servers deployed before adding a key:

```bash
# On server, add to authorized_keys
echo "ssh-ed25519 AAAAC3..." >> ~/.ssh/authorized_keys
```

Or use `ssh-copy-id`:

```bash
ssh-copy-id -i ~/.ssh/new_key.pub ubuntu@server-ip
```

### SSH Agent

Use SSH agent to avoid typing passphrases:

```bash
# Start agent
eval "$(ssh-agent -s)"

# Add key
ssh-add ~/.ssh/id_ed25519
```

#### Persistent Agent (Linux)

Add to `~/.bashrc`:

```bash
if [ -z "$SSH_AUTH_SOCK" ]; then
    eval "$(ssh-agent -s)"
    ssh-add
fi
```

#### macOS Keychain

```bash
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
```

Add to `~/.ssh/config`:

```
Host *
    UseKeychain yes
    AddKeysToAgent yes
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.teraswitch.com/account/ssh-keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.