Connect to your Linux instance if you lose your private key
If you lose the private key for an EBS-backed instance, you can regain access to your
instance. You must stop the instance, detach its root volume and attach it to another
instance
as a data volume, modify the authorized_keys file with a new public key,
move the volume back to the original instance, and restart the instance. For more
information
about launching, connecting to, and stopping instances, see Instance lifecycle.
This procedure is not supported for instances with instance-store backed root volumes.
To
determine the root device type of your instance, open the Amazon EC2 console, choose
Instances, select the instance, and check the value of Root
device type in the details pane. The value is either ebs or
instance store. If the root device is an instance store volume, you cannot use
this procedure to regain access to your instance; you must have the private key to
connect to
the instance.
Steps for connecting to an EBS-backed instance with a different key pair
- Step 1: Create a new key pair
- Step 2: Get information about the original instance and its root volume
- Step 3: Stop the original instance
- Step 4: Launch a temporary instance
- Step 5: Detach the root volume from the original instance and attach it to the temporary instance
- Step 6: Add the new public key to authorized_keys on the original volume mounted to the temporary instance
- Step 7: Unmount and detach the original volume from the temporary instance, and reattach it to the original instance
- Step 8: Connect to the original instance using the new key pair
- Step 9: Clean up
Step 1: Create a new key pair
Create a new key pair using either the Amazon EC2 console or a third-party tool. If you want to name your new key pair exactly the same as the lost private key, you must first delete the existing key pair. For information about creating a new key pair, see Option 1: Create a key pair using Amazon EC2 or Option 2: Import your own public key to Amazon EC2.
Step 2: Get information about the original instance and its root volume
Make note of the following information because you'll need it to complete this procedure.
Step 3: Stop the original instance
Choose Instance state, Stop instance. If this option is disabled, either the instance is already stopped or its root device is an instance store volume.
When you stop an instance, the data on any instance store volumes is erased. To keep data from instance store volumes, be sure to back it up to persistent storage.
Step 4: Launch a temporary instance
Choose Launch instances, and then use the launch wizard to launch a temporary instance with the following options:
-
On the Choose an AMI page, select the same AMI that you used to launch the original instance. If this AMI is unavailable, you can create an AMI that you can use from the stopped instance. For more information, see Create an Amazon EBS-backed Linux AMI.
-
On the Choose an Instance Type page, leave the default instance type that the wizard selects for you.
-
On the Configure Instance Details page, specify the same Availability Zone as the original instance. If you're launching an instance in a VPC, select a subnet in this Availability Zone.
-
On the Add Tags page, add the tag
Name=Temporaryto the instance to indicate that this is a temporary instance. -
On the Review page, choose Launch. Create a new key pair, download it to a safe location on your computer, and then choose Launch Instances.
Step 5: Detach the root volume from the original instance and attach it to the temporary instance
-
In the navigation pane, choose Volumes and select the root device volume for the original instance (you made note of its volume ID in a previous step). Choose Actions, Detach Volume, and then select Yes, Detach. Wait for the state of the volume to become
available. (You might need to choose the Refresh icon.) -
With the volume still selected, choose Actions, and then select Attach Volume. Select the instance ID of the temporary instance, make note of the device name specified under Device (for example,
/dev/sdf), and then choose Attach.Note If you launched your original instance from an AWS Marketplace AMI and your volume contains AWS Marketplace codes, you must first stop the temporary instance before you can attach the volume.
Step 6: Add the new public key to
authorized_keys on the original volume mounted to the temporary
instance
-
Connect to the temporary instance.
-
From the temporary instance, mount the volume that you attached to the instance so that you can access its file system. For example, if the device name is
/dev/sdf, use the following commands to mount the volume as/mnt/tempvol.Note The device name might appear differently on your instance. For example, devices mounted as
/dev/sdfmight show up as/dev/xvdfon the instance. Some versions of Red Hat (or its variants, such as CentOS) might even increment the trailing letter by 4 characters, where/dev/sdbecomesf/dev/xvd.k-
Use the lsblk command to determine if the volume is partitioned.
[ec2-user ~]$lsblkNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 8G 0 disk └─xvda1 202:1 0 8G 0 part / xvdf 202:80 0 101G 0 disk └─xvdf1 202:81 0 101G 0 part xvdg 202:96 0 30G 0 diskIn the preceding example,
/dev/xvdaand/dev/xvdfare partitioned volumes, and/dev/xvdgis not. If your volume is partitioned, you mount the partition (/dev/xvdf1)instead of the raw device (/dev/xvdf) in the next steps. -
Create a temporary directory to mount the volume.
[ec2-user ~]$sudo mkdir /mnt/tempvol -
Mount the volume (or partition) at the temporary mount point, using the volume name or device name that you identified earlier. The required command depends on your operating system's file system.
-
Amazon Linux, Ubuntu, and Debian
[ec2-user ~]$sudo mount /dev/xvdf1/mnt/tempvol -
Amazon Linux 2, CentOS, SUSE Linux 12, and RHEL 7.x
[ec2-user ~]$sudo mount -o nouuid /dev/xvdf1/mnt/tempvol
-
Note If you get an error stating that the file system is corrupt, run the following command to use the fsck utility to check the file system and repair any issues:
[ec2-user ~]$sudo fsck /dev/xvdf1 -
-
From the temporary instance, use the following command to update
authorized_keyson the mounted volume with the new public key from theauthorized_keysfor the temporary instance.Important The following examples use the Amazon Linux user name
ec2-user. You might need to substitute a different user name, such asubuntufor Ubuntu instances.[ec2-user ~]$cp .ssh/authorized_keys /mnt/tempvol/home/ec2-user/.ssh/authorized_keysIf this copy succeeded, you can go to the next step.
(Optional) Otherwise, if you don't have permission to edit files in
/mnt/tempvol, you must update the file using sudo and then check the permissions on the file to verify that you are able to log into the original instance. Use the following command to check the permissions on the file.[ec2-user ~]$sudo ls -l /mnt/tempvol/home/ec2-user/.sshtotal 4 -rw------- 1222 500398 Sep 13 22:54 authorized_keysIn this example output,
222is the user ID and500is the group ID. Next, use sudo to re-run the copy command that failed.[ec2-user ~]$sudo cp .ssh/authorized_keys /mnt/tempvol/home/ec2-user/.ssh/authorized_keysRun the following command again to determine whether the permissions changed.
[ec2-user ~]$sudo ls -l /mnt/tempvol/home/ec2-user/.sshIf the user ID and group ID have changed, use the following command to restore them.
[ec2-user ~]$sudo chown222:500/mnt/tempvol/home/ec2-user/.ssh/authorized_keys
Step 7: Unmount and detach the original volume from the temporary instance, and reattach it to the original instance
-
From the temporary instance, unmount the volume that you attached so that you can reattach it to the original instance. For example, use the following command to unmount the volume at
/mnt/tempvol.[ec2-user ~]$sudo umount /mnt/tempvol -
Detach the volume from the temporary instance (you unmounted it in the previous step): From the Amazon EC2 console, select the root device volume for the original instance (you made note of the volume ID in a previous step), choose Actions, Detach Volume, and then choose Yes, Detach. Wait for the state of the volume to become
available. (You might need to choose the Refresh icon.) -
Reattach the volume to the original instance: With the volume still selected, choose Actions, Attach Volume. Select the instance ID of the original instance, specify the device name that you noted earlier in Step 2 for the original root device attachment (
/dev/sda1or/dev/xvda), and then choose Attach.Important If you don't specify the same device name as the original attachment, you cannot start the original instance. Amazon EC2 expects the root device volume at
sda1or/dev/xvda.
Step 8: Connect to the original instance using the new key pair
Select the original instance, choose Instance state,
Start instance. After the instance enters the running
state, you can connect to it using the private key file for your new key pair.
If the name of your new key pair and corresponding private key file is different from the name of the original key pair, ensure that you specify the name of the new private key file when you connect to your instance.
Step 9: Clean up
(Optional) You can terminate the temporary instance if you have no further use for it. Select the temporary instance, and choose Instance state, Terminate instance.
