Rotate SSH keys
Learn how to rotate Retool's SSH keys.
Organizations with Self-hosted Retool deployments can regenerate SSH keys used for SSH tunneling. This allows you to follow your organization's credential rotation policy or update keys if your encryption key has changed.
Invalidate existing SSH keys
If you've rotated your encryption key—for example, while upgrading from Retool Cloud to Self-hosted—you may need to invalidate existing keys. These steps require access to the Retool PostgreSQL database.
1. Check the ssh_keys
table
This SQL query should only return one record.
select * from ssh_keys
2. Remove the existing SSH key
truncate ssh_keys
Regenerate and download the new SSH key
When you download Retool's public key, Retool creates a new SSH key if it doesn't already exist.
If your key is for SSH tunneling, use the Download Retool's public key link on the resource configuration page. Open the retool.pub
file and copy the entire key to your clipboard. Clicking the link generates a new record in the ssh_key
table and downloads the public key to your local machine.