Connecting securely to Google Compute Engine server with SFTP

With WinSCP you can easily upload and manage files on your Google Compute Engine (GCE) instance/server over SFTP protocol.

Before starting you should:

First you need to generate your private key, if you do not have one yet:


Collect information about your GCE instance:

  • IP address: Check External IP column on Compute > Compute Engine > VM Instances page of your project on Google Cloud Platform.
  • Host key fingerprint: On the first connect you will be prompted to verify a server host key.
    • To securely acquire a fingerprint of the host key, use web-based SSH client in Google Cloud Platform (use SSH link on the VM Instances page). In the console, use ssh-keygen command to display a fingerprint of any number of host keys algorithms. The following example shows SHA-256 and MD5 fingerprints of Ed25519 hostkey:
      sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key
      sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key -E md5

Set up SSH keys for your Google Compute account:

  • Load your private key to PuTTYgen;
  • Enter the username (an existing one or any other account name you want to be created) to the Key comment box.
  • Copy a contents of Public key for pasting into OpenSSH authorized_keys file to the clipboard (note that the contents includes your username);
  • Go to Metadata page of your project on Google Cloud Platform;
  • Go to SSH Keys tab and click Edit;
  • Click Add item button and paste contents of the clipboard to Enter public SSH key box (note how the username is automatically recognized).
  • On the bottom of the page, click Save and wait for the key to be saved.

If you want to set up the keys for a specific VM instance only, go to Edit > SSH Keys > Show and edit > Add item on the instance page instead of using project’s Metadata page.


Finally, start WinSCP. Login dialog will appear. On the dialog:

  • Make sure New site node is selected.
  • On the New site node, make sure SFTP protocol is selected.
  • Enter your GCE instance public IP address (see above) into the Host name box.
  • Enter the account name (that the console extracted out of your GCE username) into the User name box;
  • Press Advanced button to open Advanced site settings dialog and go to SSH > Authentication page.
  • In the Private key file box select your private key file.
  • Submit the Advanced site settings dialog with OK button.
  • Save your site settings using the Save button.
  • Login using the Login button.
  • Verify the host key by comparing fingerprints with those collected before (see above).

Further reading

Last modified: by martin