Source: https://crabglamp.com/docs/plain-vms/how-to/attach-an-ssh-key-from-the-vault
Last updated: 2026-06-09
Type: how-to

The Vault stores OpenSSH public keys per account. At provisioning time, you pick which keys to attach to a new VM. Keys you attach are written into the VM's `~/.ssh/authorized_keys` for the default user.

## At provisioning time (recommended)

1. Open `/dashboard/plain-vms` and click **Create VM**.
2. Under **Access method**, select **SSH key from Vault**.
3. Tick the boxes for the keys you want attached. You can attach more than one.
4. Optionally enable **Generated one-time password** as a fallback.
5. Click **Provision**.

On first boot, the VM's cloud-init writes every selected public key into `~/.ssh/authorized_keys` for the distro's default user — `ubuntu` on Ubuntu, `debian` on Debian, `root` on Fedora / Rocky / Alma. SSH is reachable within ~60 seconds of provisioning.

## After provisioning (manual)

To add a new key to an already-running VM, SSH in with an existing authorized key and append manually:

```sh
echo "ssh-ed25519 AAAA... laptop-2026" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
```

There is no v1 platform mechanism for re-running cloud-init or pushing a new key onto a live VM. If you have lost access to every authorized key, use the **Reset root password** action in the [Hetzner Cloud Console](https://console.hetzner.cloud) for the underlying server — that's the supported recovery path at v1. The CrabGlamp dashboard does not expose a one-click reset.

## Verify

```sh
ssh -v root@{public-ipv4} 2>&1 | grep "Authenticating to"
```

If the key chain authenticates, the verbose output names the key file matched.