Did this page help you? Yes No Tell us about it...

Getting an SSH Key Pair

Topics

Public AMI instances have no password, and you need a public/private key pair to log in to them. The public key half of this pair is embedded in your instance, allowing you to use the private key to log in securely without a password. After you create your own AMIs, you can choose other mechanisms to securely log in to your new instances.

You can have multiple key pairs, and each key pair requires a name. Be sure to choose a name that is easy to remember.

You have two options for getting a key pair:

Generate it yourself.
You can use a third-party tool such as OpenSSH, and then import the public key to AWS using either the ec2-import-keypair command or the ImportKeyPair action.

Have AWS generate it for you.
You can use the AWS Management Console, the ec2-add-keypair command, or the CreateKeyPair action.

AWS doesn't store a copy of the private key for either option. Amazon EC2 only stores the public key, and associates it with a friendly name that you specify for the key pair.

	Note
	If you are using PuTTY in Windows, you must convert the private key to PuTTY's format. For more information on using PuTTy with Amazon EC2, see Connecting to Linux/UNIX Instances from Windows Using PuTTY.

How to Generate Your Own Key and Import It to AWS

This section describes how to import a public key to AWS from a key pair you've created with a third-party tool.

You can easily create an RSA key pair on Windows or Linux using the ssh-keygen command line tool (provided with the standard OpenSSH installation). Java, Ruby, Python, and many other programming languages provide standard libraries for RSA key pair creation.

EC2 accepts the following formats:

OpenSSH public key format (e.g., the format in ~/.ssh/authorized_keys)
Base64 encoded DER format
SSH public key file format as specified in RFC4716

EC2 does not accept DSA keys. Make sure your key generator is set up to create RSA keys.

Supported lengths: 1024, 2048, and 4096.

Command Line Tools

To import a public key

Generate the key pair with a third-party tool of your choice.
Use ec2-import-keypair to import the public key file to AWS. The following example names the key pair gsg-keypair. The response displays the MD5 public key fingerprint as specified in section 4 of RFC4716.
```
PROMPT>  ec2-import-keypair gsg-keypair --public-key-file C:\keys\mykey.ppk
KEYPAIR  gsg-keypair   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
```

API

To import the public key

Generate the key pair with the third-party tool of your choice.

Use ImportKeyPair to import the public key file to AWS. The following Query example names the key pair gsg-keypair. You must base64 encode the public key material before sending it to AWS.

https://ec2.amazonaws.com/?Action=ImportKeyPair
&KeyName=gsg-keypair
&PublicKeyMaterial=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlDZHpDQ0FlQ2dBd0lCQWdJR0FQalRyR3pQ
TUEwR0NTcUdTSWIzRFFFQkJRVUFNRk14Q3pBSkJnTlZCQVlUDQpBbFZUTVJNd0VRWURWUVFLRXdw
QmJXRjZiMjR1WTI5dE1Rd3dDZ1lEVlFRTEV3TkJWMU14SVRBZkJnTlZCQU1UDQpHRUZYVXlCTWFX
MXBkR1ZrTFVGemMzVnlZVzVqWlNCRFFUQWVGdzB3T1RBM016RXlNVFEzTXpWYUZ3MHhNREEzDQpN
ekV5TVRRM016VmFNRkl4Q3pBSkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRS0V3cEJiV0Y2YjI0dVky
OXRNUmN3DQpGUVlEVlFRTEV3NUJWMU10UkdWMlpXeHZjR1Z5Y3pFVk1CTUdBMVVFQXhNTWJUSnVi
RGhxZW00MWVHUjFNSUdmDQpNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ1dOazBo
QytrcExBRnp2YkFQc3U1TDU5bFMwUnI0DQprZEpaM0RFak1pL0IwV2ZDSzhpS2hWYWt1WitHSnJt
NDdMUHZCaFVKWk9IeHVUU0VXakFDNmlybDJzKzlSWXVjDQpFZXg0TjI4ZlpCZGpORlAzdEgwZ2Nu
WjdIbXZ4aFBrTEtoRTdpZmViNmNGWUhRdHpHRnRPQ0ZQTmdUSE92VDE5DQoyR3lZb1VyU3BDVGFC
UUlEQVFBQm8xY3dWVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdGZ1lEVlIwbEFRSC9CQXd3DQpDZ1lJ
S3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVU1RVNuTUZZUzdyTDNX
TUdLDQpqejMxVXZ5TThnMHdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFnWjdDZ1lJWHR1WFM1NHVq
bU5jOTR0NWRNc3krDQpCM0Z3WVVNdUd4WUI2eGQvSUVWMTFLRVEyZ0hpZUdMU21jUWg4c2JXTTdt
KzcrYm9UNmc2U2hLbU1jblkzWkRTDQpWRVFZZ25qcEt1aEZRd2pmaVpTUEc1UG5SVENhdkVqS3lT
TUpDVGxpdTdTTjMrR2J3cFU5Uzg3K21GM2tsMGRmDQpZNlIrbEl5SWcrU3ROOTg9DQotLS0tLUVO
RCBDRVJUSUZJQ0FURS0tLS0tEXAMPLE
&AuthParams

The response includes the MD5 public key fingerprint as specified in section 4 of RFC4716.

<ImportKeyPairResponse xmlns="http://ec2.amazonaws.com/doc/2011-12-15/">
   <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
   <keyName>gsg-keypair</keyName>
   <keyFingerprint>
     00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
   </keyFingerprint>
</ImportKeyPairResponse>

How to Have AWS Create the Key Pair for You

AWS Management Console

To generate a key pair

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
Click Key Pairs in the Navigation pane.
The console displays a list of key pairs associated with your account.
Click Create Key Pair.
The Key Pair dialog box appears.
Enter a name for the new key pair in the Key Pair Name field and click Create.
You are prompted to download the key file.
Download the key file and keep it in a safe place. You will need it to access any instances that you launch with this key pair.

Command Line Tools

To generate a key pair

Use ec2-add-keypair. The following example names the resulting key pair gsg-keypair.

PROMPT>  ec2-add-keypair gsg-keypair

Amazon EC2 returns a private key, similar to the one in the following example.

KEYPAIR gsg-keypair  ff:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f
-----BEGIN RSA PRIVATE KEY-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlHG88Y0OQ=
-----END RSA PRIVATE KEY-----

You must save the private key to a local file so that you can use it later.

Create a file named id_rsa-gsg-keypair and paste the entire key generated in step 1, including the following lines.
```
"-----BEGIN RSA PRIVATE KEY-----"			
"-----END RSA PRIVATE KEY-----" 
```

Confirm that the file contents looks similar to the following and save the file.

You can save the file in any directory, but if you do not put it in your current directory, you should specify the full path when using commands that require the key pair.

If you're using OpenSSH (or another SSH client), you should set the permissions of this file so it is only readable by you.
On Linux and UNIX, enter the information in the following example.
```
$  chmod 400 id_rsa-gsg-keypair ; ls -l id_rsa-gsg-keypair  
```
You receive output similar to the following example.
```
-r--------  1 fred flintstones 1701 Jun 19 17:57 id_rsa-gsg-keypair 
```

API

To generate a key pair

Construct the following Query request.

https://ec2.amazonaws.com/
?Action=CreateKeyPair
&KeyName=gsg-keypair
&...auth parameters...

Following is an example response.

<CreateKeyPairResponse xmlns="http://ec2.amazonaws.com/doc/2011-12-15/">
  <keyName>gsg-keypair</keyName>
  <keyFingerprint>
     ff:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f
  </keyFingerprint>
  <keyMaterial>-----BEGIN RSA PRIVATE KEY-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlHG88Y0OQ=
-----END RSA PRIVATE KEY-----</keyMaterial>
</CreateKeyPairResponse>

You must save the private key to a local file so that you can use it later.

Create a file named id_rsa-gsg-keypair and paste the entire key generated in step 1, including the following lines.
```
"-----BEGIN RSA PRIVATE KEY-----"
"-----END RSA PRIVATE KEY-----" 
```

Confirm that the file contents looks similar to the following and save the file.

You can save the file in any directory, but if you do not put it in your current directory, you should specify the full path when using commands that require the key pair.

If you're using OpenSSH (or another SSH client), you should set the permissions of this file so it is readable only by you.
On Linux and UNIX, enter the information in the following example.
```
$  chmod 400 id_rsa-gsg-keypair ; ls -l id_rsa-gsg-keypair  
```
You receive output similar to the following example.
```
-r--------  1 fred flintstones 1701 Jun 19 17:57 id_rsa-gsg-keypair 
```

Document Conventions
Terms of Use

Did this page help you? Yes No Tell us about it...