Create SSH keys
This document describes how to create an SSH key pair for Compute Enginevirtual machine (VM) instances to securely connect to your Compute Engine VMinstances.
Before you begin
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.
Create an SSH key pair
If you connect to VMs using the Google Cloud console or theGoogle Cloud CLI, Compute Engine creates SSH keys on your behalf. Formore information on how Compute Engine configures and stores keys, seeAbout SSH connections.
If you connect to VMs using third party tools or OpenSSH, you need toadd a key to your VM before you can connect. If you don't have an SSH key,you must create one. VMs accept the key formats listed in thesshd_configfile.
Linux and macOS
On Linux and macOS workstations, use thessh-keygen utility to create a new SSH key pair. The following example creates an RSA key pair.
Open a terminal and use thessh-keygen command with the-C flag tocreate a new SSH key pair.
ssh-keygen -t rsa -f ~/.ssh/KEY_FILENAME -CUSERNAME
Replace the following:
KEY_FILENAME: the name for your SSH key file.For example, a filename of
my-ssh-keygenerates a private key file namedmy-ssh-keyand a public key file namedmy-ssh-key.pub.USERNAME: your username on the VM. For example,cloudysanfrancisco, orcloudysanfrancisco_gmail_com.For Linux VMs, the
USERNAMEcan't beroot,unless you configure your VM to allow root login. For more information,seeConnect to VMs as the root user.For Windows VMs that use Active Directory (AD), the username must beprepended with the AD domain, in the format of
DOMAIN\. For example, the usercloudysanfranciscowithin thead.example.comAD has aUSERNAMEofexample\cloudysanfrancisco.
ssh-keygen saves your private key file to~/.ssh/KEY_FILENAME and your public key file to~/.ssh/KEY_FILENAME.pub.
A public key for the usercloudysanfrancisco looks similar to thefollowing:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF... cloudysanfrancisco
Windows 10 or later
On workstations with Windows version 10 or later, use thessh-keygen utility to create a new SSH key pair. The following example creates an RSA key pair.
Open Command Prompt and use thessh-keygen command with the-C flag tocreate a new SSH key pair.
ssh-keygen -t rsa -f C:\Users\WINDOWS_USER\.ssh\KEY_FILENAME -CUSERNAME
Replace the following:
WINDOWS_USER: your username on the Windowsmachine.KEY_FILENAME: the name for your SSH key file.For example, a filename of
my-ssh-keygenerates a private key file namedmy-ssh-keyand a public key file namedmy-ssh-key.pub.USERNAME: your username on the VM. For example,cloudysanfrancisco, orcloudysanfrancisco_gmail_com.For Linux VMs, the
USERNAMEcan't beroot,unless you configure your VM to allow root login. For more information,seeConnect to VMs as the root user.For Windows VMs that use Active Directory (AD), the username must beprepended with the AD domain, in the format of
DOMAIN\. For example, the usercloudysanfranciscowithin thead.example.comAD has aUSERNAMEofexample\cloudysanfrancisco.
ssh-keygen saves your private key file toC:\Users\WINDOWS_USER\.ssh\KEY_FILENAMEand your public key file toC:\Users\WINDOWS_USER\.ssh\KEY_FILENAME.pub.
A public key for the usercloudysanfrancisco looks similar to thefollowing:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF... cloudysanfrancisco
Windows 8 or earlier
On workstations with Windows version 8 or earlier, use the PuTTYgen tool tocreate a new SSH key pair. The following example creates an RSA key pair.
Download
puttygen.exeif you haven't already.Open PuTTYgen.
UnderParameters specify the following:
- Type of key to generate:
RSA - Number of bits in a generated key:
2048or more
- Type of key to generate:
ClickGenerate and follow the on-screen instructions.
The tool displays the public key value.
In theKey comment section, replace the pre-populated text with yourusername. For example,
cloudysanfrancisco, orcloudysanfrancisco_gmail_com.For Linux VMs, theKey comment can't be
root, unless you configureyour VM to allow root login. For more information,seeConnect to VMs as the root user.For Windows VMs that use Active Directory (AD), theKey comment mustbe prepended with the AD domain, in the format of
DOMAIN\. For example, the usercloudysanfranciscowithin thead.example.comAD has aKey commentofexample\cloudysanfrancisco.Optional: enter aKey passphrase to password-protect your key.
ClickSave private key to choose a location to save the private keyto.
PuTTYgen writes the private key to a file with a
.ppkextension.ClickSave public key to choose a location to save your public keyto. Keep the PuTTYgen window open.
Copy the text from thePublic key for pasting into OpenSSHauthorized_keys file field.
Open the public key file. The public key has a format similar to thefollowing:
---- BEGIN SSH2 PUBLIC KEY ----Comment: "USERNAME"KEY_VALUE---- END SSH2 PUBLIC KEY ----
Replace the entire contents of the public key file with the value youcopied from thePublic key for pasting into OpenSSH authorized_keysfile field, so that your public key file matches the following format:
KEY_VALUEUSERNAME
A public key for the usercloudysanfrancisco looks similar to thefollowing:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF... cloudysanfrancisco
What's next?
- Learn how toAdd SSH keys to VMs
- LearnAbout SSH connections work onCompute Engine
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.