CrabGlamp

Attach an SSH key from the Vault

Wire a stored public key in your account Vault to a Plain VM at provisioning time, or add it to an already-running VM by appending it over SSH. This guide covers the create-VM dashboard flow, what the platform does with the key on the VM side, and how to verify the key is authorized after the VM finishes booting.

Last updated:

The Vault stores OpenSSH public keys per account. At provisioning time, you pick which keys to attach to a new VM. Keys you attach are written into the VM's ~/.ssh/authorized_keys for the default user.

  1. Open /dashboard/plain-vms and click Create VM.
  2. Under Access method, select SSH key from Vault.
  3. Tick the boxes for the keys you want attached. You can attach more than one.
  4. Optionally enable Generated one-time password as a fallback.
  5. Click Provision.

On first boot, the VM's cloud-init writes every selected public key into ~/.ssh/authorized_keys for the distro's default user — ubuntu on Ubuntu, debian on Debian, root on Fedora / Rocky / Alma. SSH is reachable within ~60 seconds of provisioning.

After provisioning (manual)

To add a new key to an already-running VM, SSH in with an existing authorized key and append manually:

echo "ssh-ed25519 AAAA... laptop-2026" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

There is no v1 platform mechanism for re-running cloud-init or pushing a new key onto a live VM. If you have lost access to every authorized key, use the Reset root password action in the Hetzner Cloud Console for the underlying server — that's the supported recovery path at v1. The CrabGlamp dashboard does not expose a one-click reset.

Verify

ssh -v root@{public-ipv4} 2>&1 | grep "Authenticating to"

If the key chain authenticates, the verbose output names the key file matched.

Related

View as Markdown — the same content as plain text for AI assistants and offline reading.

Was this helpful?