Key management - AWS Transfer Family

Key management

In this section, you can find information about SSH keys, how to generate them, and how to rotate them.

Generate SSH keys

You can set up your server to authenticate users using the service managed authentication method, where user names and SSH keys are stored within the service. The user's public SSH key is uploaded to the server as a user's property. This key is used by the server as part of a standard key-based authentication process. Each user can have multiple public SSH keys on file with an individual server. For limits on number of keys that can be stored per user, see the AWS service quotas in the AWS General Reference.

As an alternative to the service managed authentication method, you can authenticate users using a custom identity provider. This allows you to plug in an existing identity provider using an Amazon API Gateway endpoint. For more information, see Authenticate using custom identity providers.

A server can only authenticate users using one method (service managed or custom identity provider), and that method cannot be changed after the server is created.

Creating SSH Keys on macOS, Linux, or UNIX

On the macOS, Linux, or UNIX operating systems, you use the ssh-keygen command to create an SSH public key and SSH private key also known as a key-pair.

To create SSH keys on a macOS, Linux, or UNIX operating system

  1. On macOS, Linux, or UNIX operating systems, open a command terminal.

  2. At the prompt, enter the following command: ssh-keygen -P "" -m PEM -f key_name.


    key_name is the SSH key-pair file name.

    The following shows an example of the ssh-keygen output.

  3. Navigate to the file and open it.

  4. Copy the text and paste it in SSH public key.


When you run the ssh-keygen command as shown preceding, it creates the public and private keys as files in the current directory.

Creating SSH Keys on Microsoft Windows

Windows uses a slightly different SSH key-pair format. The public key must be in the PUB format, and the private key must be in the PPK format. On Windows, you can use PuTTYgen to create an SSH key-pair in the appropriate formats. You can also use PuTTYgen to convert a private key generated using ssh-keygen to a .ppk file.


If you present WinSCP with a private key file not in .ppk format, that client offers to convert the key into .ppk format for you.

For a tutorial on creating SSH keys using PuTTYgen on Windows, see the website.

Rotate SSH keys

For security, we recommend the best practice of rotating your SSH keys. Usually, this rotation is specified as a part of a security policy and is implemented in some automated fashion. Depending upon the level of security, for a highly sensitive communication, an SSH key pair might be used only once. Doing this eliminates any risk due to stored keys. However, it is much more common to store SSH credentials for a period of time and set an interval that doesn't place undue burden on users. A time interval of three months is common.

There are two methods used to perform SSH key rotation:

  • In the console a new SSH public key can be uploaded and a existing SSH public key can be deleted.

  • Using the API, you can update existing users using the UpdateUser API command and a JSON data file.


To perform a key rotation in the console

  1. Open the AWS Transfer Family console at

  2. Navigate to the Servers page.

  3. Choose the identifier in the Server ID column to see the Server details page.

  4. Under Users, select the check box of the user whose SSH public key that you want to rotate, then choose Actions, and then choose Add key to see the Add key page.


    Choose the user name to see the User details page, and then choose Add SSH public key to see the Add key page.

  5. Enter the new SSH public key and choose Add key.


    The format of the SSH public key is ssh-rsa <string>.

    You are returned to the User details page, and the new SSH public key that you just entered appears in the SSH public keys section.

  6. Select the check box of the old you key that you want to delete and then choose Delete.

  7. Confirm the deletion operation by entering the word delete, and then choose Delete.


Prepare the appropriate JSON data file and issue the UpdateUser API command.