Amazon EC2 key pairs and Linux instances
A key pair, consisting of a private key and a public key, is a set of security credentials that you use to prove your identity when connecting to an instance. Amazon EC2 stores the public key, and you store the private key. You use the private key, instead of a password, to securely access your instances. Anyone who possesses your private keys can connect to your instances, so it's important that you store your private keys in a secure place.
When you launch an instance, you are prompted
for a key pair. If you plan to connect to the instance using SSH, you
must specify a key pair. You can choose an existing key pair or create a new one.
When your instance boots for the first time, the content of the public key that you
specified at launch is placed on your Linux instance in an entry within
~/.ssh/authorized_keys
. When you connect to your Linux instance using
SSH, to log in you must specify the private key that corresponds to the public key
content.
For more information about connecting to your instance, see Connect to your Linux instance. For more information about key pairs and Windows
instances, see Amazon EC2 key pairs and Windows
instances in the Amazon EC2 User Guide for Windows Instances
Because Amazon EC2 doesn't keep a copy of your private key, there is no way to recover a private key if you lose it. However, there can still be a way to connect to instances for which you've lost the private key. For more information, see Connect to your Linux instance if you lose your private key.
The keys that Amazon EC2 uses are 2048-bit SSH-2 RSA keys. You can have up to 5,000 key pairs per Region.
Contents
- Create or import a key pair
- Tag a key pair
- Retrieve the public key for your key pair
- Retrieve the public key for your key pair through instance metadata
- Locate the public key on an instance
- Identify the key pair that was specified at launch
- (Optional) Verify your key pair's fingerprint
- Add or replace a key pair for your instance
- Connect to your Linux instance if you lose your private key
- Delete your key pair
Create or import a key pair
You can use Amazon EC2 to create a new key pair, or you can import an existing key pair.
Options
Option 1: Create a key pair using Amazon EC2
You can create a key pair using one of the following methods.
Option 2: Import your own public key to Amazon EC2
Instead of using Amazon EC2 to create your key pair, you can create an RSA key pair using a third-party tool and then import the public key to Amazon EC2.
Requirements for key pairs
-
The following formats are supported:
-
OpenSSH public key format (the format in
~/.ssh/authorized_keys
). If you connect using SSH while using the EC2 Instance Connect API, the SSH2 format is also supported. -
Base64 encoded DER format
-
SSH public key file format as specified in RFC4716
-
SSH private key file format must be PEM
-
-
Create an RSA key. Amazon EC2 does not accept DSA keys.
-
The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.
To create a key pair using a third-party tool
-
Generate a key pair with a third-party tool of your choice. For example, you can use ssh-keygen (a tool provided with the standard OpenSSH installation). Alternatively, Java, Ruby, Python, and many other programming languages provide standard libraries that you can use to create an RSA key pair.
Important The private key must be in the PEM format. For example, use
ssh-keygen -m PEM
to generate the OpenSSH key in the PEM format. -
Save the public key to a local file. For example,
~/.ssh/my-key-pair.pub
. The file name extension for this file is not important. -
Save the private key to a local file that has the
.pem
extension. For example,~/.ssh/my-key-pair.pem
.Important Save the private key file in a safe place. You'll need to provide the name of your public key when you launch an instance and the corresponding private key each time you connect to the instance.
After you have created the key pair, use one of the following methods to import your public key to Amazon EC2.
Tag a key pair
To help categorize and manage your existing key pairs, you can tag them with custom metadata. For more information about how tags work, see Tag your Amazon EC2 resources.
You can view, add, and delete tags using the new console and the command line tools.
Retrieve the public key for your key pair
On your local Linux or macOS computer, you can use the ssh-keygen
command to retrieve the public key for your key pair. Specify the path where you
downloaded your private key (the .pem
file).
ssh-keygen -y -f /
path_to_key_pair
/my-key-pair.pem
The command returns the public key, as shown in the following example.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V
hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr
lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ
qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb
BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE
If the command fails, run the following command to ensure that you've changed the permissions on your key pair file so that only you can view it.
chmod 400
my-key-pair
.pem
Retrieve the public key for your key pair through instance metadata
The public key that you specified when you launched an instance is also available to you through its instance metadata. To view the public key that you specified when launching the instance, use the following command from your instance:
If you change the key pair that you use to connect to the instance, we don't update the instance metadata to show the new public key. Instead, the instance metadata continues to show the public key for the key pair that you specified when you launched the instance. For more information, see Retrieve instance metadata.
Alternatively, on a Linux instance, the public key content is placed in an entry
within ~/.ssh/authorized_keys
. You can open this file in an editor.
The following is an example entry for the key pair named
my-key-pair
. It consists of the public key followed
by the name of the key pair.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6V
hz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXr
lsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZ
qaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3Rb
BQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE my-key-pair
Locate the public key on an instance
When you launch an instance, you are prompted for a key pair. If you plan to connect to the instance using
SSH, you must specify a key pair. You can choose an existing key pair or create
a new one. When your instance boots for the first time, the content of the public
key that you
specified at launch is placed on your Linux instance in an entry within
~/.ssh/authorized_keys
.
To locate the public key on an instance
-
Connect to your instance. For more information, see Connect to your Linux instance.
-
In the terminal window, open the
authorized_keys
file using your favorite text editor (such as vim or nano).[ec2-user ~]$
nano ~/.ssh/authorized_keys
The
authorized_keys
file opens, displaying the public key, as shown in the following example.ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3eYhCe53pcjqP3maAhDFcvBS7O6Vhz2ItxCih+PnDSUaw+WNQn/mZphTk/a/gU8jEzoOWbkM4yxyb/wB96xbiFveSFJuOp/d6RJhJOI0iBXrlsLnBItntckiJ7FbtxJMXLvvwJryDUilBMTjYtwB+QhYXUMOzce5Pjz5/i8SeJtjnV3iAoG/cQk+0FzZqaeJAAHco+CY/5WrUBkrHmFJr6HcXkvJdWPkYQS3xqC0+FmUZofz221CBt5IMucxXPkX4rWi+z7wB3RbBQoQzd8v7yeb7OzlPnWOyN0qFU0XA246RA8QFYiCNYwI3f05p6KLxEXAMPLE
Identify the key pair that was specified at launch
When you launch an instance, you are prompted for a key pair. If you plan to connect to the instance using SSH, you must specify a key pair.
(Optional) Verify your key pair's fingerprint
On the Key Pairs page in the Amazon EC2 console, the Fingerprint column displays the fingerprints generated from your key pairs. AWS calculates the fingerprint differently depending on whether the key pair was generated by AWS or a third-party tool. If you created the key pair using AWS, the fingerprint is calculated using an SHA-1 hash function. If you created the key pair with a third-party tool and uploaded the public key to AWS, or if you generated a new public key from an existing AWS-created private key and uploaded it to AWS, the fingerprint is calculated using an MD5 hash function.
You can use the SSH2 fingerprint that's displayed on the Key Pairs page to verify that the private key you have on your local machine matches the public key stored in AWS. From the computer where you downloaded the private key file, generate an SSH2 fingerprint from the private key file. The output should match the fingerprint that's displayed in the console.
If you created your key pair using AWS, you can use the OpenSSL tools to generate a fingerprint as shown in the following example.
$
openssl pkcs8 -in
path_to_private_key
-inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c
If you created a key pair using a third-party tool and uploaded the public key to AWS, you can use the OpenSSL tools to generate the fingerprint as shown in the following example.
$
openssl rsa -in
path_to_private_key
-pubout -outform DER | openssl md5 -c
If you created an OpenSSH key pair using OpenSSH 7.8 or later and uploaded the public key to AWS, you can use ssh-keygen to generate the fingerprint as shown in the following example.
$
ssh-keygen -ef
path_to_private_key
-m PEM | openssl rsa -RSAPublicKey_in -outform DER | openssl md5 -c
Add or replace a key pair for your instance
You can change the key pair that is used to access the default system account of your
instance. For example, if a user in your organization requires access to the system
user
account using a separate key pair, you can add that key pair to your instance.
Or, if
someone has a copy of the .pem
file and you want to prevent them
from connecting to your instance (for example, if they've left your organization),
you
can replace the key pair with a new one.
To add or replace a key pair, you must be able to connect to your instance. If you've lost your existing private key or you launched your instance without a key pair, you won't be able connect to your instance and therefore won't be able to add or replace a key pair. If you've lost your existing private key, you might be able to retrieve it. For more information, see Connect to your Linux instance if you lose your private key. If you launched your instance without a key pair, you won't be able to connect to the instance unless you chose an AMI that is configured to allow users another way to log in.
These procedures are for modifying the key pair for the default user account, such
as
ec2-user
. For more information about adding user accounts to your
instance, see Manage user accounts on your Amazon Linux instance.
To add or replace a key pair
-
Create a new key pair using the Amazon EC2 console or a third-party tool.
-
Retrieve the public key from your new key pair. For more information, see Retrieve the public key for your key pair.
-
Connect to your instance using your existing private key file.
-
Using a text editor of your choice, open the
.ssh/authorized_keys
file on the instance. Paste the public key information from your new key pair underneath the existing public key information. Save the file. -
Disconnect from your instance, and test that you can connect to your instance using the new private key file.
-
(Optional) If you're replacing an existing key pair, connect to your instance and delete the public key information for the original key pair from the
.ssh/authorized_keys
file.
If you're using an Auto Scaling group, ensure that the key pair you're replacing is not specified in your launch template or launch configuration. Amazon EC2 Auto Scaling launches a replacement instance if it detects an unhealthy instance; however, the instance launch fails if the key pair cannot be found.
Delete your key pair
When you delete a key pair, you are only deleting the Amazon EC2 copy of the public
key.
Deleting a key pair doesn't affect the private key on your computer or the public
key on
any instances that already launched using that key pair. You can't launch a new instance
using a deleted key pair, but you can continue to connect to any instances that you
launched using a deleted key pair, as long as you still have the private key
(.pem
) file.
If you're using an Auto Scaling group (for example, in an Elastic Beanstalk environment), ensure that the key pair you're deleting is not specified in your launch configuration. Amazon EC2 Auto Scaling launches a replacement instance if it detects an unhealthy instance; however, the instance launch fails if the key pair cannot be found.
You can delete a key pair using one of the following methods.
If you create a Linux AMI from an instance, and then use the AMI to launch a new
instance in a different Region or account, the new instance includes the public key
from the
original instance. This enables you to connect to the new instance using the same
private
key file as your original instance. You can remove this public key from your instance
by
removing its entry from the .ssh/authorized_keys
file using a text
editor of your choice. For more information about managing users on your instance
and
providing remote access using a specific key pair, see Manage user accounts on your Amazon Linux instance.