---
title: "Secure Data Transfer with SSH Tunneling"
slug: "ssh-tunnelling"
description: "Create reliable and secure data pipelines to data storages with Dataddo using SSH, a cryptographic network protocol for operating network services securely."
tags: ["Data destination", "How-to guide", "Security and compliance"]
updated: 2025-08-06T19:58:04Z
published: 2025-08-06T19:58:04Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dataddo.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure Data Transfer with SSH Tunnelling

**Secure Shell (SSH)** is a cryptographic network protocol that establishes a secure channel in a client-server architecture. It enables the operation of network services over unsecured and thus potentially vulnerable networks, linking an SSH client application with an SSH server.

At Dataddo, we prioritize the security and reliability of data transfers. Our platform offers advanced users the capability to implement **SSH tunneling**, which guarantees the safe transport of data to a diverse range of data storage destinations, be they on-premises or cloud-based.

## Prerequisites
:::(Error) ()
To set up **SSH tunneling** in Dataddo, ensure that
* You have an **SSH Bastion** server (also known as a jump or gateway server) that can access your private network.
* The Bastion server accepts incoming SSH connections from [Dataddo IPs](/docs/network-acl){target="_blank"}. 
:::

You can refer to the architecture as illustrated in the schema below.

![SSH tunnel](https://cdn.document360.io/084ed225-3f99-4644-a2da-39ca0cd5ef45/Images/Documentation/SSH%20tunnel.png){height="" width="640"}

## Authenticate Using a Public/Private Key Pair
We recommend using **a public and private key pair for authentication**. While password-based authentication is an option, it's less secure and not recommended. As illustrated in the schema above, ensure
* The **private key** is provided to Dataddo, and
* The **public key** is uploaded to the SSH Bastion server.

### Utilize an Existing Public/Private Key Pair
If you already have a public/private key pair, you can use it with Dataddo. To do this:
1. Provide Dataddo with the private key.
2. Ensure the public key is uploaded to your SSH Bastion Server.

To upload the private key to Dataddo:
1. Go to the [Security](https://app.dataddo.com/settings/security){target=`_blank`} page and navigate to the **Certificates** tab.
2. Click on **Add Certificate**.
    1. Name your certificate.
    2. For certificate type, select **RSA Private Key**
    3. Upload your private key.
3. **Save** your certificate.

### Generate a New Private/Public Key Pair in Dataddo
Alternatively, Dataddo can generate a public/private key pair for you. In this scenario, you only need to ensure that the public key is uploaded to your SSH Bastion Server. 

1. In Dataddo, navigate to the [Security](https://app.dataddo.com/settings/security){target=`_blank`} page.
2. Switch to the **Certificates** tab and click on **New Certificate**.
3. On the default **Generate Certificate** tab
    1. Name your private/public key pair,
    2. Select the appropriate private key bits,
    3. Click on **Generate**.
4. Copy the generated public key and upload it to your SSH Bastion Server. The key can be displayed only once.

## Configure an SSH Tunnel
Dataddo supports SSH tunneling for a variety of systems, including, but not limited to, [Redshift](/docs/redshift){target="_blank"}, [SQL Server](/docs/universal-sql-server){target="_blank"}, [MySQL](/docs/mysql-destination){target="_blank"} or [Postgres](/docs/postgres){target="_blank"}.

To establish a connection via an SSH tunnel, follow these steps:

1. Navigate to **Settings** and click on [**Security**](https://app.dataddo.com/settings/security){target=`_blank`}.
2. Switch to the **SSH Tunnels** tab and click **Create SSH Tunnel**.
3. Fill in the following fields:
    1. **Label**: SSH tunnel identifier used in Dataddo.
    2. **SSH Server IP or Hostname**: Enter the public IP address or hostname of your SSH server. Ensure your firewall settings permit incoming connections from Dataddo IPs.
    3. **SSH Server Port**: Specify the port for the SSH connection (the default is usually `22`).
    4. **SSH Server Username**: Provide the username for authentication.
    5. **SSH Server Password**: Provide the password for authentication. For certificate-based authentication, leave the field empty and select your certificate instead.
    6. **Certificate**: For certificate-based authentication, attach the appropriate certificate. Refer to this section to [upload or generate a new certificate](/docs/ssh-tunnelling#authentication-using-a-publicprivate-key-pair). 

:::(Info) (**DATADDO TIP**)
Once your SSH tunnel is created, you can select it when creating ***{{glossary.authorizer}}s***.
:::

![SSH Tunnel configuration.png](https://cdn.document360.io/084ed225-3f99-4644-a2da-39ca0cd5ef45/Images/Documentation/SSH%20Tunnel%20configuration.png){height="" width=""}

## Related

- [Network Access Control List (ACL) Configuration](/network-acl.md)