OpenStack Keypair: How to Create One to Enhance Your VM Security

Nick Chase - January 5, 2016 - ,

One way to bolster security on your OpenStack cloud is to set up security options that go beyond password-based user authentication when you create a new instance (be it an image or storage volume). The most common way is to use the OpenStack Dashboard, Horizon, to set up a public/private OpenStack keypair to properly protect the instance at launch time.

A Public/private OpenStack keypair works by keeping the public key on the server, and the private key on your local workstation. Once the server has verified that the two keys match, a secure connection can be made.

A public OpenStack ssh key can be injected into an instance on launch, so that it’s ready for you to access using the private key. If you then set up ssh to deny password authentication and instead require the key, you give your instance a much stronger layer of security.

Now let’s look at how to set up an OpenStack keypair. Basically, there are three steps  in OpenStack: create keypair entries,  add it to an instance, and modify it for increased security. Let’s get started!

Create a key pair in Horizon

The first step you need to learn is how to create the actual key pair, if you don’t already have one:

  1. Click “Compute” under the “Project” option in the Horizon left-hand menu.
  2. Select “Access & Security”.
  3. Click the “Key Pairs” tab.


  1. Click “+Create Key Pair”.
  2. Name your new key pair and click “Create Key Pair”.


  1. The new OpenStack keypair will automatically download to your local machine; make sure you don’t lose it, or you won’t be able to access the new instance.


  1. Click Access & Security again to see your new key pair.


You can also create a key pair manually and import it, or import an existing public key, by click the “Import Key Pair” button and adding it to the form.

Add a key pair to an instance

To add a keypair to an instance, you need to specify it when you’re launching the instance.

  1. Under Instances click “Launch Instance”.
  2. Click the “Access & Security” tab.
  3. Choose the appropriate key pair from the pulldown list (or click the “+” sign to import one).


  1. After completing the rest of the required information on the other tabs, click “Launch”.

Securing and using your new key pair

To use your new key pair, you need to make it available to your ssh client.  On Linux, follow these instructions:

  1. Copy the downloaded key pair into your ~/.ssh/ directory
  2. Change permissions to 600:
    # cd ~/.ssh
    # chmod 600 KEY_NAME.pem
  3. Now you can use the key pair to log on to the instances in question using this key pair:
    # ssh -i ~/.ssh/KEY_NAME.pem USER@SERVER_IP

On Windows, how you use your new key will depend on your client.  The PuTTY client is an open source SSH client that also handles SFTP and SCP, and enables you to specify the private key to use. The downside of PuTTY is that it doesn’t like the *.pem format OpenStack gives you, in which the public and private key are together; instead you must separate them using the PuTTYgen client:

  1. Download PuTTYgen from the main downloads page.
  2. Run puttygen.exe.
  3. Click the Load button and specify “All files *.*” as the file format so it can find the *.pem file.
  4. Load the key pair you downloaded from OpenStack earlier.  You’ll see the information in the puttygen window.


  1. Optionally add a passphrase.
  2. Click “Save Private Key” and save the file where you’ll be able to find it.

Now you can add the private key to a connection in PuTTY:

  1. Download PuTTY from the main downloads page.
  2. Run putty.exe.
  3. Specify the hostname or IP for the instance (you can find this information on the instances page once it’s launched).
  4. In the left-hand panel, expand “Connection->SSH” and click “Auth”.


  1. Click “Browse” and find the *.ppk file you saved from puttygen.exe.
  2. Click “Open” to connect to the instance.

Enhanced security without the hassle

Not all OpenStack instances will be booted from Horizon, of course; it’s very common to boot an instance from the command line, and the OpenStack Compute (Nova) CLI does provide the –key-name parameter to enable you to add an existing key pair to an instance as it boots.  (Note that you must add the key to the cluster first.)

Still, for users who prefer to use the OpenStack Dashboard instead, it’s convenient to be able to create and add a key pair directly through Horizon and its robust API. In OpenStack, change key pair operations can also be done.

Looking for an easier way to deploy OpenStack?  OpenStack Fuel software lets you deploy OpenStack with a few clicks of your mouse. Download it now with Mirantis OpenStack.

From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
The Definitive Guide to Container Platforms
Manage your cloud-native container environment with Mirantis Container Cloud

Wednesday, January 5 at 10:00 am PST