SSH Keys Management
SSH key–based authentication is the recommended way to access nodes and notebooks on TIR. Cryptographic keys are significantly more secure than passwords — they cannot be guessed or brute-forced, and no credentials are transmitted over the network.
Quick Start
Generate a Key Pair
Create a public/private key pair on your local machine using ssh-keygen.
Manage Your SSH Keys
Add, view, and delete SSH keys from your TIR account.
Sync from MyAccount
Import existing SSH keys from your E2E MyAccount without re-uploading.
Best Practices for SSH Keys
Follow security best practices to keep your SSH keys safe and well-managed.
How SSH Keys Work
SSH uses a public/private key pair:
| Key | Where It Lives | Purpose |
|---|---|---|
| Private Key | Your local machine — never shared | Proves your identity when connecting |
| Public Key | Uploaded to TIR and attached to your resources | Validates the connecting client |
Authentication flow:
- Generate a key pair on your local machine.
- Upload the public key to TIR.
- When connecting to a node, the server checks your private key against the stored public key.
- If they match, access is granted — no password required.
Your private key must never leave your machine. Only the .pub (public key) file should be uploaded to TIR.
Generate an SSH Key Pair
- macOS / Linux:
ssh-keygen -t ed25519 -C "your_email@example.com"
- Windows (PowerShell):
ssh-keygen -t ed25519 -C "your_email@example.com"
This creates two files:
| File | Type | Action |
|---|---|---|
~/.ssh/id_ed25519 | 🔒 Private Key | Keep on your machine — never share |
~/.ssh/id_ed25519.pub | 🔑 Public Key | Upload this to TIR |
Use ed25519 for better security and performance over the older RSA algorithm.
Manage SSH Keys on TIR
1. Access the SSH Keys Section
- Log in to the TIR AI Platform.
- Click your Profile Icon in the top-right corner.
- Select SSH Keys from the menu.
2. Add an SSH Key
- Click Add Key.
- Enter a recognizable label (e.g.,
macbook-pro-2025,office-workstation). - Paste the content of your public key file (
id_ed25519.pub):cat ~/.ssh/id_ed25519.pub - Click Add Key to save.
A valid public key starts with ssh-ed25519 or ssh-rsa, followed by the key data and an optional comment.
3. Create an SSH Key from the Browser
You can also generate an SSH key pair directly from the TIR console — no local ssh-keygen required.
- Go to the SSH Keys section (Profile Icon > SSH Keys) or use the SSH Key dropdown during resource creation.
- Click Create Key and enter a recognizable label.
- TIR generates the key pair:
- The public key is saved to your account and automatically available for attachment to resources.
- The private key is downloaded to your machine as a
.pemfile (e.g.,my-key.pem).
The private key .pem file is downloaded only once. TIR does not store it. If you lose this file, you will need to create a new key.
4. Delete an SSH Key
- Locate the key in the SSH Keys list.
- Click Delete next to it.
Deleting a key immediately revokes access to any nodes or notebooks deployed with it. Connections from the corresponding private key will no longer be accepted.
Use SSH Keys When Creating Resources
Once a key is added to your account, it is available when creating new resources:
- During instance or notebook creation, select your preferred SSH key from the SSH Key dropdown.
- Connect to the resource using your private key:
If you generated the key locally (with ssh-keygen):
ssh -i ~/.ssh/id_ed25519 ubuntu@<node-ip-address>
If you created the key from the browser (downloaded .pem file):
First, set the correct permissions on the downloaded private key:
chmod 600 <private-key.pem>
Then connect:
ssh -i <private-key.pem> root@<node-ip-address>
The chmod 600 command restricts the file so only you can read it. SSH refuses to use a private key file with open permissions.
The SSH username (e.g., root, ubuntu) depends on the instance image. Check your image documentation for the correct username.
A Security Group with port 22 open must be attached to the instance for SSH connections to work.
Import SSH Keys from MyAccount
Sync SSH keys from your E2E MyAccount without re-uploading:
- Go to the SSH Keys section.
- Click Sync SSH to import keys from your MyAccount default project.
- A key with the same name already in TIR will not be imported.
- A key with the same content but a different name will also not be imported.
Best Practices
Key Strength
- Use ed25519 or RSA 4096 — both are stronger than older key types
- Set a passphrase on your private key for an extra layer of protection
Local Security
- Set correct file permissions: chmod 600 ~/.ssh/id_ed25519
- For browser-generated keys, run chmod 600 on the downloaded .pem file before first use
- Never store private keys in cloud storage, shared drives, or version control
Lifecycle Management
- Use meaningful labels to identify which key belongs to which machine
- Rotate keys periodically and remove old or unused keys from TIR