Keypairs

A keypair is basically a couple of private and public keys.
Most common example is SSH keypair allowing you to login to your Unix instance.

Key pairs are used to:

connect to an instance (eg. SSH)
generate and encrypt password (eg. Windows or OPNsense appliance)

Info

Keypairs have to be created before instances creation. They will be associated during the instance creation process.

Import an existing keypair

CLI Horizon

You may import your existing keypair using the following command:

openstack keypair create --public-key ~/.ssh/ssh_my_rsa_key.pub my_keypair

+-------------+-------------------------------------------------+
| Field       | Value                                           |
+-------------+-------------------------------------------------+
| fingerprint | 53:c0:03:5f:27:6f:c2:66:b4:e4:f3:26:e0:f8:82:4a |
| name        | my_keypair                                      |
| user_id     | b1580497f51e4d10b9110c60c154562c                |
+-------------+-------------------------------------------------+

You may import your existing keypair by navigating to the Key Pairs section and clkicking on Import Public Key : Keypair1

Name your keypair, set its type and import it.

Keypair2

Create a new keypair

A new keypair can also be created.

CLI Horizon

openstack keypair create my_keypair > ~/.ssh/my_keypair
chmod 600 ~/.ssh/my_keypair

The private key is saved to ~/.ssh/my_keypair and can then be used for instance creation (using the --key-pair argument on the command line) and/or for SSH.

Keypair2

Name your keypair and click on Create Key Pair

Keypair4

Your keypair has been automatically downloaded.

You may now use the keypair to connect to a instance with this command :

ssh -i ~/.ssh/ ~/.ssh/ssh_my_rsa_key adminuser@my-instance-name

Keypair for password encryption

Some operating systems, such as Windows or OPNsense require a specific keypair type commonly called OpenSSL RSA keypair, RSA PKCS #1 v1.5 keypair or SSH keypair in pem format.

These operating systems, during the first boot, will generate a random password and send it to the metadata server of OpenStack.
To do so securely, the instance will encrypt the password using the public key set at the creation of to the instance and post the result as base64 to the metadata server, making it readable only by the owner of the private key.

Note

This form of Keypair is different than OpenSSH-RSA type.
They must be generated in this exact format to work.
No conversion to RSA PKCS #1 v1.5 for existing key is possible.

To generate a RSA PKCS #1 v1.5 keypair, you can use the following command :

ssh-keygen -t rsa -m pem -f my_keypair

This will create my_keypair and my_keypair.pub that you can use to decrypt instance generated password.