SSH Keypairs
An SSH keypair stores an SSH public key and its corresponding PEM-encoded private key. Both halves are encrypted at rest and delivered to your containers as separate files.
An SSH keypair stores an SSH public key and its corresponding PEM-encoded private key. Both halves are encrypted at rest and delivered to your containers as separate files.
When to use an SSH keypair
- Your application connects to remote servers via SSH and needs a deploy key
- CI/CD pipelines pull code from private Git repositories over SSH
- An application signs or verifies data using SSH keys (e.g.
ssh-keygen -Y sign) - You need to inject SSH identity files into containers at runtime
What Bahriya stores
When you upload an SSH keypair, Bahriya parses the public key line and stores metadata alongside the encrypted material:
| Field | Description |
|---|---|
| Fingerprint | SHA256 fingerprint of the public key |
| Algorithm | Key algorithm (ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, etc.) |
| Key bits | Key size in bits (for RSA keys) |
| Comment | The comment field from the public key line (e.g. deploy@prod) |
This metadata is visible in list views and detail pages so you can identify keys at a glance.
Mounting in containers
When you attach an SSH keypair to a container, you choose a mount path. The key files appear as:
<mount-path>/public_key # The public key line
<mount-path>/private_key # The PEM-encoded private keyYour application reads them from these paths. For example, a Git clone step might reference /etc/ssh/private_key as the identity file.
Rotation
Rotation creates a new version of the keypair. The previous version is retained for rollback. After rotation:
- File-mounted containers pick up the new keys automatically within about 60 seconds. No manual action needed.
- If you need to force a restart, use the Redeploy button on the Consumers panel.
Pricing
SSH keypairs are billed at $0.02 per month while they exist, plus $0.02 per region per month when attached to a project.