Connecting securely to DigitalOcean droplet with SFTP
With WinSCP you can easily upload and manage files on your DigitalOcean droplet/server over SFTP protocol.
Before starting you should have WinSCP installed.
Advertisement
Setting up Public Key Authentication
While you can use the root password to login with WinSCP, it is more secure to use a public key authentication.
First you need to generate your key pair, if you do not have one yet:
- Use PuTTYgen tool to generate new key.
- PuTTYgen installs by default with WinSCP. One way, to run it, is using Tools > Run PuTTYgen command on WinSCP Login dialog.
Easiest way to setup the public key authentication is directly when creating the droplet.
- In PuTTYgen, copy the contents of Public key for pasting into OpenSSH authorized_keys file to the clipboard;
- In Authentication > SSH keys section of the Create Droplets form, click New SSH Key;
- Paste the public key fingerprint from clipboard;
- And confirm by clicking Add SSH Key button.
If you want to add the key to your existing droplet:
- Connect to the droplet with the SSH or DigitalOcean recovery console;
- Follow instructions for setting up SSH public key authentication for OpenSSH servers.
Connecting
Collect information about your droplet:
- IP address: It is the dotted number in a format
aaa.bbb.ccc.ddd
below your droplet hostname on the droplet console panel. - Host key fingerprint: On the first connect you will be prompted to verify a server host key. While the DigitalOcean documentation suggests you can accept the droplet host key on the first connect without verifying it, to maintain maximum security, you should securely acquire a fingerprint of the host key:
- Connect to the droplet with the DigitalOcean recovery console;
- Use the following commands to display fingerprints of the host keys:
root@droplet:~# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 SHA256:z6YYzqGiAb1FN55jOf/f4fqR1IJvpXlKxaZXRtP2mX8 root@droplet-1 (RSA) root@droplet-1:~# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 1024 SHA256:K1kYcE7GHAqHLNPBaGVLOYBQif04VLOQN9kDbiLW/eE root@droplet-1 (DSA)
Advertisement
Start WinSCP. Login dialog will appear. On the dialog:
- Make sure New site node is selected.
- On the New site node, make sure SFTP protocol is selected.
- Enter your droplet IP address (see above) into the Host name box.
- Enter
root
into the User name box. - If you are authenticating with the root password:
- Enter your root password into the Password box.
- If you are authenticating with the private key:
- Press the Advanced button to open Advanced site settings dialog and go to the SSH > Authentication page.
- In the Private key file box select your private key file.
- Submit the Advanced site settings dialog with OK button.
- Save your site settings using the Save button.
- Login using the Login button.
- Verify the host key by comparing fingerprints with those collected before (see above).