Rotate SSH keys

Learn how to rotate Retool's SSH keys.

Organizations with Self-hosted Retool deployments can regenerate SSH keys used for SSH tunneling. This allows you to follow your organization's credential rotation policy or update keys if your encryption key has changed.

Invalidate existing SSH keys

If you've rotated your encryption key—for example, while upgrading from Retool Cloud to Self-hosted—you may need to invalidate existing keys. These steps require access to the Retool PostgreSQL database.

1. Check the `ssh_keys` table

This SQL query should only return one record.

select * from ssh_keys

2. Remove the existing SSH key

truncate ssh_keys

Regenerate and download the new SSH key

When you download Retool's public key, Retool creates a new SSH key if it doesn't already exist.

If your key is for SSH tunneling, use the Download Retool's public key link on the resource configuration page. Open the retool.pub file and copy the entire key to your clipboard. Clicking the link generates a new record in the ssh_key table and downloads the public key to your local machine.

Invalidate existing SSH keys​

1. Check the ssh_keys table​

2. Remove the existing SSH key​

Regenerate and download the new SSH key​

Invalidate existing SSH keys

1. Check the `ssh_keys` table

2. Remove the existing SSH key

Regenerate and download the new SSH key