Managing Key Pairs on Linux Instances

Instances launched using Oracle Linux, CentOS, or Ubuntu images use an SSH key pair instead of a password to authenticate a remote user (see Security Credentials). A key pair consists of a private key and public key. You keep the private key on your computer and provide the public key when you create an instance. When you connect to the instance using SSH, you provide the path to the private key in the SSH command.

If you're using OpenSSH to connect to an instance, you can use a key pair that is generated by Oracle Cloud Infrastructure at the time that you create the instance. OpenSSH should be installed on UNIX-based systems (including Linux and OS X), Windows 10, and Windows Server 2019.


Oracle does not store a copy of the private key generated by the Console. Therefore, keeping a copy of the private key is required to connect to your instance. Without the private key, the only remedy to connect to an instance is to create a new instance using a new private key.

You can have as many key pairs as you want, or you can keep it simple and use one key pair for all or several of your instances.

To create your own key pairs, you can use a third-party tool such as OpenSSH on UNIX-style systems (including Linux, Solaris, BSD, and OS X) or PuTTY Key Generator on Windows.


Anyone who has access to the private key can connect to the instance. Store the private key in a secure location.

Required SSH Public Key Format

If you provide your own key pair, it must use the OpenSSH format.

A public key has the following format:

<key_type> <public_key> <optional_comment>

For example, an RSA public key looks like this:

ssh-rsa AAAAB3BzaC1yc2EAAAADAQABAAABAQD9BRwrUiLDki6P0+jZhwsjS2muM...
                    ...yXDus/5DQ== rsa-key-20201202

For platform images, these SSH key types are supported: RSA, DSA, DSS, ECDSA, and Ed25519. If you bring your own image, you're responsible for managing the SSH key types that are supported.

For RSA, DSS, and DSA keys, a minimum of 2048 bits is recommended. For ECDSA keys, a minimum of 256 bits is recommended.

Before You Begin

  • If you are using a UNIX-style system, then you likely already have the ssh-keygen utility installed. To determine whether the utility is installed, type ssh-keygen on the command line. If it is not installed, then you can download OpenSSH for UNIX from and install.
  • If you are using a Windows operating system, then you must have PuTTY and the PuTTY Key Generator. Download PuTTY and PuTTYgen from and install.
  • Ensure that the permissions for the SSH folder and keys are as follows:
    • The SSH folder must be 700
    • Public keys must be 644
    • Private keys must be 400

Creating an SSH Key Pair on the Command Line

  1. Open a shell or terminal for entering the commands.
  2. At the prompt, enter ssh-keygen and provide a name for the key when prompted. Optionally, include a passphrase.

    The keys will be created with the default values: RSA keys of 2048 bits.

Alternatively, you can type a complete ssh-keygen command, for example:

ssh-keygen -t rsa -N "" -b 2048 -C "<key_name>" -f <path/root_name>

The command arguments are shown in the following table:

Argument Description
-t rsa Use the RSA algorithm.
-N "<passphrase>"

A passphrase to protect the use of the key (like a password). If you don't want to set a passphrase, don't enter anything between the quotes.

A passphrase is not required. You can specify one as a security measure to protect the private key from unauthorized use. If you specify a passphrase, when you connect to the instance you must provide the passphrase, which typically makes it harder to automate connecting to an instance.

-b 2048

Generate a 2048-bit key. You don't have to set this if 2048 is acceptable, as 2048 is the default.

A minimum of 2048 bits is recommended for SSH-2 RSA.

-C "<key_name>" A name to identify the key.
-f <path/root_name> The location where the key pair will be saved and the root name for the files.

Creating an SSH Key Pair Using PuTTY Key Generator

  1. Find puttygen.exe in the PuTTY folder on your computer, for example, C:\Program Files (x86)\PuTTY. Double-click puttygen.exe to open it.
  2. Specify a key type of SSH-2 RSA and a key size of 2048 bits:

    • In the Key menu, confirm that the default value of SSH-2 RSA key is selected.
    • For the Type of key to generate, accept the default key type of RSA.
    • Set the Number of bits in a generated key to 2048 if it is not already set.
  3. Click Generate.
  4. Move your mouse around the blank area in the PuTTY window to generate random data in the key.

    When the key is generated, it appears under Public key for pasting into OpenSSH authorized_keys file.

  5. A Key comment is generated for you, including the date and time stamp. You can keep the default comment or replace it with your own more descriptive comment.
  6. Leave the Key passphrase field blank.
  7. Click Save private key, and then click Yes in the prompt about saving the key without a passphrase.

    The key pair is saved in the PuTTY Private Key (PPK) format, which is a proprietary format that works only with the PuTTY tool set.

    You can name the key anything you want, but use the ppk file extension. For example, mykey.ppk.

  8. Select all of the generated key that appears under Public key for pasting into OpenSSH authorized_keys file, copy it using Ctrl + C, paste it into a text file, and then save the file in the same location as the private key.

    (Do not use Save public key because it does not save the key in the OpenSSH format.)

    You can name the key anything you want, but for consistency, use the same name as the private key and a file extension of pub. For example,

  9. Write down the names and location of your public and private key files. You will need the public key when launching an instance. You will need the private key to access the instance via SSH.

Now that you have a key pair, you're ready to launch instances as described in Creating an Instance.