Skip to main content

Project SSH Keys

SSH is the default method of accessing an Equinix Metal™ server. SSH keys can be associated with your account or project, and added to each server you provision. Equinix Metal also uses SSH keys as authentication for our SOS/OOB console.

A Project SSH key is specific to a single project, which will be included by default on servers deployed into a particular project. This option is useful if you don’t want to use a personal SSH key on a shared server.

Generating a Project SSH Key

To use SSH keys with Equinix Metal, first generate a public and private key pair on your local machine, and then associate the public key with your Equinix Metal Project.

To generate an SSH key pair, use the ssh-keygen command on Linux, Mac, and modern Windows machines. Note: We recommend that you specify a unique SSH key name and location to be used for the key pair. This will ensure that you do not overwrite any existing SSH keys.

ssh-keygen -t ed25519 -f ~/.ssh/<proj_key_name>

For older machines without Ed25519 support, RSA keys are supported with a recommended 2048-bit minimum key size.

ssh-keygen -t rsa -b 2048 -f ~/.ssh/<proj_key_name>

The public key is named <proj_key_name>.pub. You will upload this key to the Equinix Metal console. The other key file in the same directory, <proj_key_name>, is the private key. Do not share your private key.

Note - if you are on an older Windows version that does not include a built-in SSH server and client, you will need to download and configure a third-party application such as PuTTY to generate keys and SSH into your servers.

Adding an SSH Key to your Project

You can add an SSH key to a Project on its Project Settings page, on the SSH Keys tab.

Adding an SSH Key to Your Project

Once the SSH key has been added, it will appear in the list of SSH keys in the Project. If you need to rename or update the key, click Edit.

Project SSH Keys - Provisioning Servers

When you provision a server, all your user account SSH keys, team member's SSH keys, and Project SSH keys are added to it by default, providing authorized access to the server. It is possible to override this default and specify which keys to add when provisioning a new server.

When provisioning in the console, available Project SSH keys are displayed on the SSH Keys tab in the Optional Settings.

Project SSH Keys in Console

Select which keys to add to the server.

Note: If all keys (Project, Personal, and Collaborator) are unchecked, all keys will be added to the server by default. There is no way to provision in the Console without SSH keys. To provision without SSH keys, use the API.

Provisioning Without SSH Keys

To provision a server without SSH keys, you must explicitly include the "no_ssh_keys" parameter in your POST request to the projects/{id}/devices endpoint.

curl -X POST \
-H "Content-Type: application/json" \
-H "X-Auth-Token: <API_TOKEN>" \
"https://api.equinix.com/metal/v1/projects/{id}/devices" \
-d '{
"metro": "<metro_code>",
"plan": "<server_type>",
"operating_system": "<os_code>",
"no_ssh_keys": true
}'

Notable Body Parameter:

  • "no_ssh_keys" - Boolean that overrides default behavior of attaching user, team member, and Project SSH keys to a server and provisions it without any authorized SSH access.

Project SSH Keys Post-Provisioning

To see what keys are on a provisioned server:

You can see which SSH keys are on a specific server from the Equinix Metal console in the server's detail page, on the SSH Keys tab.

Server&#39;s SSH Keys List

You can add SSH keys to your Project at any time, however keys added to your Projects through the console or API are NOT automatically added to the servers. Equinix Metal does not keep any agent or process on provisioned servers to perform this action. To grant access, you have to add SSH keys to the server itself.

If you add a key that you want to use with provisioned servers, check the option to associate the new key with specific servers or all servers when you add it to the console. This option is also only available through the Equinix Metal console.

Associating a New Project Key with Servers in the Console

This does not authorize SSH access directly to the server, but it does allow the new SSH key to be used when logging into and using the SOS/OOB console. You can then use the SOS/OOB console to add your new SSH key to the authorized keys on the server.

Removing Project SSH Keys

You can remove Project SSH keys from the Project Settings page, on the SSH Keys tab. Click Delete next to the key you want to remove. The SSH key will not be added to any future servers that you provision in this Project.

Deleting a Project SSH Key from the Console

Note: Keys removed from your account or from your Projects through the console or API are NOT automatically deleted from servers. Equinix Metal does not keep any agent or process on provisioned servers to perform this action. To revoke access, you have to manually remove SSH keys from the server