Importing Existing SSH Keys into OpenStack

Introduction

SSH key authentication is the most secure way to access your OpenStack instances. If you already have SSH keys you use for other servers or cloud platforms, you can import them into OpenStack rather than generating new ones. This approach lets you manage fewer keys while maintaining the same level of security across your entire infrastructure.

This guide walks you through importing an existing public SSH key into OpenStack using the Horizon dashboard or the command-line interface.

Why Import Existing SSH Keys?

Reusing existing SSH keys offers several advantages:

• Simplified key management: Fewer keys to track across multiple platforms
• Consistent access patterns: Use the same authentication method everywhere
• Team collaboration: Share public keys among team members for standardized access
• Existing workflows: Leverage keys already stored in your SSH agent or password manager

When you import a key pair, OpenStack stores only your public key. Your private key stays securely on your local machine, exactly where it should be.

Before You Begin

To import an SSH key pair into OpenStack, you need:

1. An existing SSH key pair: A public key file (typically ending in .pub)
2. Access to the public key contents: You'll copy and paste the entire public key string
3. OpenStack Horizon access: Login credentials for your OpenStack dashboard
4. Or CLI access: The OpenStack command-line tools installed and configured

If you need to verify you have a key pair, check your ~/.ssh/ directory for files like id_rsa.pub, id_ed25519.pub, or similar.

Method 1: Import SSH Key via Horizon Dashboard

The Horizon dashboard provides a straightforward web interface for importing SSH keys.

Step 1: Access the Key Pairs Section

1. Log into your OpenStack Horizon dashboard
2. Navigate to Project in the left sidebar
3. Expand Compute
4. Click Key Pairs

You'll see a list of any existing key pairs already stored in OpenStack.

Step 2: Import Public Key

1. Click the Import Public Key button in the upper right
2. In the dialog that appears, provide the following information:

• Key Pair Name: Choose a descriptive name (e.g., macbook-pro-key or dev-team-shared)
• Key Type: Select SSH Key (this is typically the default)
• Public Key: Paste your entire public key string

Step 3: Locate Your Public Key

If you need to retrieve your public key contents:

On Linux or macOS:

1cat ~/.ssh/id_rsa.pub
Copy

On Windows (PowerShell):

1Get-Content $env:USERPROFILE\.ssh\id_rsa.pub
Copy

This command displays your public key. Select and copy the entire output, which should look similar to:

1ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8... user@hostname
Copy

Step 4: Complete the Import

1. Paste the full public key string into the Public Key field
2. Review the key pair name to ensure it's descriptive
3. Click Import Public Key

OpenStack validates the key format and adds it to your project. You'll see your new key pair in the list immediately.

Step 5: Verify the Import

Confirm the key was imported successfully:

1. Check the key pairs list for your new entry
2. Note the Fingerprint value (a unique identifier for your key)
3. Compare this fingerprint with your local key to ensure they match

To check your local key fingerprint:

1ssh-keygen -l -f ~/.ssh/id_rsa.pub
Copy

The fingerprint values should be identical.

Method 2: Import SSH Key via Command Line

The OpenStack CLI provides a faster method for importing keys, especially useful for automation or batch operations.

Step 1: Install and Configure OpenStack CLI

If you haven't already set up the OpenStack command-line tools:

1. Install the OpenStack client:

1   pip install python-openstackclient
Copy

2. Source your OpenStack RC file to set environment variables:

1   source openrc.sh
Copy

3. Verify connectivity:

1   openstack keypair list
Copy

Step 2: Import the Public Key

Use the openstack keypair create command with the --public-key flag:

1openstack keypair create --public-key ~/.ssh/id_rsa.pub my-imported-key
Copy

Replace:

• ~/.ssh/id_rsa.pub with the path to your public key file
• my-imported-key with your desired key pair name

Step 3: Verify the Import

List all key pairs to confirm:

1openstack keypair list
Copy

You should see your newly imported key with its fingerprint.

To view detailed information about a specific key:

1openstack keypair show my-imported-key
Copy

Using Your Imported SSH Key with Instances

Once imported, your SSH key is immediately available for use with new instances.

Launching Instances with the Imported Key

Via Horizon:

1. Navigate to Compute > Instances
2. Click Launch Instance
3. In the Key Pair tab, select your imported key from the dropdown
4. Complete the instance launch process

Via CLI:

1openstack server create \
2  --image ubuntu-22.04 \
3  --flavor m1.small \
4  --key-name my-imported-key \
5  my-instance
Copy

Connecting to Instances

After your instance is running, connect using your private key:

1ssh -i ~/.ssh/id_rsa ubuntu@instance-ip-address
Copy

Replace:

• ~/.ssh/id_rsa with your private key path
• ubuntu with the appropriate username for your image
• instance-ip-address with your instance's floating IP

Managing Multiple SSH Keys

You can import and maintain multiple SSH keys in OpenStack for different purposes:

• Personal keys: Individual developer access keys
• Team keys: Shared keys for team members
• Service keys: Automated deployment or CI/CD pipeline keys
• Emergency keys: Backup keys stored securely for recovery scenarios

Best practices for multiple keys:

• Use descriptive names that indicate purpose and owner
• Document which keys are used for which instances
• Regularly audit and remove unused keys
• Rotate keys periodically according to your security policy

To remove a key pair you no longer need:

Via Horizon:

1. Navigate to Compute > Key Pairs
2. Select the checkbox next to the key pair
3. Click Delete Key Pairs

Via CLI:

1openstack keypair delete old-key-name
Copy

Troubleshooting Common Issues

Public Key Format Errors

Problem: "Invalid key format" error during import.

Solution: Ensure your key is a valid OpenSSH format. Keys generated by PuTTY or other tools may need conversion:

1ssh-keygen -i -f putty-key.pub > openssh-key.pub
Copy

Permission Denied When Connecting

Problem: SSH connection fails with "Permission denied (publickey)".

Solutions:

1. Verify the correct private key is being used
2. Check file permissions on your private key (should be 600):

1   chmod 600 ~/.ssh/id_rsa
Copy

3. Confirm the instance was launched with the correct key pair
4. Verify you're using the correct username for the instance image

Key Fingerprint Mismatch

Problem: Imported key fingerprint doesn't match local key.

Solution: This usually indicates you copied the wrong public key or included extra characters. Re-export your public key cleanly and try again:

1cat ~/.ssh/id_rsa.pub | pbcopy  # macOS
2cat ~/.ssh/id_rsa.pub | xclip -selection clipboard  # Linux
Copy

Cannot Find Public Key File

Problem: Public key file doesn't exist in ~/.ssh/ directory.

Solution: If you have a private key but no public key file, regenerate the public key:

1ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
Copy

Security Considerations

When importing and using SSH keys in OpenStack:

Protect your private keys:

• Never share or copy private keys to remote systems
• Use strong passphrases to encrypt private keys
• Store keys in secure locations with appropriate file permissions

Regular key rotation:

• Establish a schedule for replacing SSH keys
• Remove old keys from OpenStack after replacement
• Update automated systems with new keys before removing old ones

Audit key usage:

• Periodically review which keys are stored in OpenStack
• Remove keys for users who no longer need access
• Document key ownership and purpose

Multi-factor authentication:

• Consider requiring SSH keys plus additional authentication factors
• Use bastion hosts for an extra security layer
• Implement IP allowlisting where appropriate

Next Steps

Now that you've imported your SSH keys into OpenStack:

• Launch instances: Create new instances using your imported keys for immediate secure access
• Configure SSH agents: Set up SSH agent forwarding for multi-hop connections
• Automate deployments: Use your imported keys in infrastructure-as-code tools like Terraform or Ansible
• Set up team access: Import keys for all team members who need instance access

Related Resources

For more information about OpenStack security and key management, see these official resources:

• OpenStack Security Groups Documentation - Configure network access controls
• OpenStack Metadata Service - Understanding instance metadata and security
• Cloud-Init Documentation - Advanced instance initialization including SSH key injection

Summary

Importing existing SSH keys into OpenStack is straightforward using either the Horizon dashboard or command-line interface. This approach lets you maintain consistent authentication across all your infrastructure while keeping your private keys secure on your local systems.

The key steps are:

1. Locate your existing public key file
2. Import via Horizon dashboard or OpenStack CLI
3. Verify the import with fingerprint comparison
4. Use the imported key when launching new instances
5. Manage multiple keys with clear naming conventions

With your SSH keys properly imported, you have secure, password-free access to all your OpenStack instances using the same credentials you already trust.