---
title: SSH Keys Management
---

import { SSHKeysBadges, SSHKeysQuickStart, SSHKeysHowItWorks, SSHKeysBestPractices } from './SSHKeysCards';

# SSH Keys Management

SSH key–based authentication is the recommended way to access nodes and notebooks on TIR. Cryptographic keys are significantly more secure than passwords — they cannot be guessed or brute-forced, and no credentials are transmitted over the network.

<SSHKeysBadges />

## Quick Start

<SSHKeysQuickStart />

### How SSH Keys Work
SSH uses a public/private key pair:

| Key | Where It Lives | Purpose |
|-----|----------------|---------|
| **Private Key** | Your local machine — never shared | Proves your identity when connecting |
| **Public Key** | Uploaded to TIR and attached to your resources | Validates the connecting client |

**Authentication flow:**
<div style={{paddingLeft: '1.5rem'}}>
- Generate a key pair on your local machine.
- Upload the public key to TIR.
- When connecting to a node, the server checks your private key against the stored public key.
- If they match, access is granted — no password required.
</div>
<br></br>
:::warning
Your **private key must never leave your machine**. Only the `.pub` (public key) file should be uploaded to TIR.
:::

---

### Generate an SSH Key Pair

- **macOS / Linux:**

```bash
ssh-keygen -t ed25519 -C "your_email@example.com"
```

- **Windows (PowerShell):**

```powershell
ssh-keygen -t ed25519 -C "your_email@example.com"
```

This creates two files:

| File | Type | Action |
|------|------|--------|
| `~/.ssh/id_ed25519` | 🔒 Private Key | Keep on your machine — never share |
| `~/.ssh/id_ed25519.pub` | 🔑 Public Key | Upload this to TIR |

<br></br>
:::tip 
Use ed25519 for better security and performance over the older RSA algorithm.
:::
---

### Manage SSH Keys on TIR

#### 1. Access the SSH Keys Section
<div style={{paddingLeft: '1.5rem'}}>
- Log in to the **TIR AI Platform**.
- Click your **Profile Icon** in the top-right corner.
- Select **SSH Keys** from the menu.
</div>

#### 2. Add an SSH Key
<div style={{paddingLeft: '1.5rem'}}>
- Click **Add Key**.
- Enter a recognizable **label** (e.g., `macbook-pro-2025`, `office-workstation`).
- Paste the content of your public key file (`id_ed25519.pub`):
   ```bash
   cat ~/.ssh/id_ed25519.pub
   ```
- Click **Add Key** to save.
</div>

<br></br>
:::info
A valid public key starts with `ssh-ed25519` or `ssh-rsa`, followed by the key data and an optional comment.
:::

#### 3. Create an SSH Key from the Browser

You can also generate an SSH key pair directly from the TIR console — no local `ssh-keygen` required.

<div style={{paddingLeft: '1.5rem'}}>
- Go to the **SSH Keys** section (Profile Icon > SSH Keys) or use the SSH Key dropdown during resource creation.
- Click **Create Key** and enter a recognizable label.
- TIR generates the key pair:
  - The **public key** is saved to your account and automatically available for attachment to resources.
  - The **private key** is downloaded to your machine as a `.pem` file (e.g., `my-key.pem`).
</div>

<br></br>
:::warning
The private key `.pem` file is downloaded **only once**. TIR does not store it. If you lose this file, you will need to create a new key.
:::

#### 4. Delete an SSH Key
<div style={{paddingLeft: '1.5rem'}}>
- Locate the key in the SSH Keys list.
- Click **Delete** next to it.
</div>
<br></br>
:::warning
Deleting a key immediately revokes access to any nodes or notebooks deployed with it. Connections from the corresponding private key will no longer be accepted.
:::

---

### Use SSH Keys When Creating Resources

Once a key is added to your account, it is available when creating new resources:

1. During instance or notebook creation, select your preferred SSH key from the **SSH Key** dropdown.
2. Connect to the resource using your private key:

**If you generated the key locally** (with `ssh-keygen`):

```bash
ssh -i ~/.ssh/id_ed25519 ubuntu@<node-ip-address>
```

**If you created the key from the browser** (downloaded `.pem` file):

First, set the correct permissions on the downloaded private key:

```bash
chmod 600 <private-key.pem>
```

Then connect:

```bash
ssh -i <private-key.pem> root@<node-ip-address>
```

:::tip
The `chmod 600` command restricts the file so only you can read it. SSH refuses to use a private key file with open permissions.
:::

:::info
The SSH username (e.g., `root`, `ubuntu`) depends on the instance image. Check your image documentation for the correct username.
:::

:::info
A **Security Group with port 22 open** must be attached to the instance for SSH connections to work.
:::

---

### Import SSH Keys from MyAccount

Sync SSH keys from your **E2E MyAccount** without re-uploading:

1. Go to the **SSH Keys** section.
2. Click **Sync SSH** to import keys from your MyAccount default project.
<br></br>
:::info Import Rules
- A key with the same **name** already in TIR will **not** be imported.
- A key with the same **content** but a different name will also **not** be imported.
:::

---

### Best Practices

<SSHKeysBestPractices />


---