SSH Keys
How SSH Authentication Works
DeployShip authenticates with your server using an SSH key pair that you provide. The process works as follows:
- You generate an SSH key pair on your local machine (or use an existing one).
- You add the public key to your server's
~/.ssh/authorized_keysfile for the deploy user. The initialization script does this automatically. - You paste the private key into the DeployShip dashboard when adding your server.
- DeployShip encrypts the private key with AES-256-GCM and stores only the ciphertext in the database. The plaintext key is never stored.
- During a deployment, the private key is decrypted in memory, used to open the SSH connection, and then immediately discarded.
Generating an SSH Key
If you need to generate a new key pair:
ssh-keygen -t ed25519 -C "deployship-myserver"
This creates two files: id_ed25519 (private key) and id_ed25519.pub
(public key). Add the public key to your server and paste the private key
into DeployShip.
Security Guarantees
- Private keys are AES-256-GCM encrypted at rest
- The encryption key is stored separately from the database
- SSH connections are ephemeral — opened per deploy, closed immediately after
- The private key variable is explicitly nulled from memory after use
- Private keys are never included in any logs or API responses
Was this page helpful?