OpenStack instances need SSH key pairs for secure access. You upload your public key to OpenStack, then select it when launching an instance. OpenStack injects the key into the instance via cloud-init, so you can SSH in immediately without passwords. This guide covers creating, importing, listing, and using key pairs through the openstack CLI.
Prerequisites
- The OpenStack CLI client installed and configured
- Authentication credentials sourced (
source admin-openrc.sh)
Generate an SSH Key Pair
Skip this step if you already have a key at ~/.ssh/id_ed25519.pub or ~/.ssh/id_rsa.pub. Ed25519 is the recommended algorithm for new keys because it’s faster and more secure than RSA:
ssh-keygen -t ed25519 -C "openstack-key"Press Enter to accept the default file location (~/.ssh/id_ed25519). Set a passphrase if you want additional protection for the private key.
If your OpenStack image doesn’t support Ed25519 (older cloud images), fall back to RSA:
ssh-keygen -t rsa -b 4096 -C "openstack-key"Import an Existing Key into OpenStack
Upload your public key to OpenStack so it can be injected into instances at launch:
openstack keypair create --public-key ~/.ssh/id_ed25519.pub mykeyThe output confirms the import with the key fingerprint:
+-------------+-------------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------------+
| fingerprint | SHA256:xYz1aBcD2eFg3HiJ4KlM5nOp6QrS7tUv8wXy9z |
| name | mykey |
| type | ssh |
| user_id | a1b2c3d4e5f6789012345678 |
+-------------+-------------------------------------------------+For RSA keys, use ~/.ssh/id_rsa.pub instead.
Create a Key Pair in OpenStack
OpenStack can generate the key pair for you. The private key is displayed once and never stored on the server, so save it immediately:
openstack keypair create cloud-key > ~/.ssh/cloud-key.pem
chmod 600 ~/.ssh/cloud-key.pemThis creates the key pair on the OpenStack side and writes the private key to a local file. The chmod 600 restricts permissions so SSH accepts it.
List and Show Key Pairs
View all key pairs registered in your project:
openstack keypair listThe output shows the name, type, and fingerprint for each key:
+-----------+-------------------------------------------------+------+
| Name | Fingerprint | Type |
+-----------+-------------------------------------------------+------+
| cloud-key | SHA256:aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890abcd | ssh |
| mykey | SHA256:xYz1aBcD2eFg3HiJ4KlM5nOp6QrS7tUv8wXy9z | ssh |
+-----------+-------------------------------------------------+------+Show details of a specific key pair including the public key content:
openstack keypair show mykeyLaunch an Instance with a Key Pair
Specify the key pair name with --key-name when creating a server. OpenStack injects the public key into the instance’s authorized_keys file via cloud-init:
openstack server create \
--flavor m1.small \
--image Ubuntu-24.04 \
--network provider-net \
--security-group default \
--key-name mykey \
test-instanceOnce the instance is active, connect using the private key:
openstack server listFind the instance IP from the output, then SSH in:
ssh -i ~/.ssh/id_ed25519 [email protected]The default username depends on the image: ubuntu for Ubuntu, rocky for Rocky Linux, debian for Debian, cloud-user for CentOS Stream.
Delete a Key Pair
Remove a key pair you no longer need:
openstack keypair delete mykeyDeleting a key pair from OpenStack does not affect instances already launched with it. The public key remains in the instance’s authorized_keys. It only prevents new instances from using that key name.
Key Pair Command Reference
| Command | What It Does |
|---|---|
openstack keypair create --public-key FILE NAME | Import an existing public key |
openstack keypair create NAME | Generate a new key pair (prints private key) |
openstack keypair list | List all key pairs in the project |
openstack keypair show NAME | Show key details and public key content |
openstack keypair delete NAME | Remove a key pair |
openstack keypair delete KEY1 KEY2 | Delete multiple key pairs at once |
For creating the networks your instances connect to, see the OpenStack networks and subnets guide. To manage compute flavors, see the OpenStack flavors CLI reference. For uploading the OS images your instances boot from, the Glance image upload guide covers that.
