Wondering What A “Key Pair” Is?
When you want to launch an EC2 instance in AWS, you need a key pair. A Key Pair AWS helps us to access our instances without using a password. Key pairs improve the security by preventing the password from being kept in a file and prevents password stealing from your compromised computer. This key pair consists of a private key (a file with the extension of .pem/.ppk) and a public key (using a private and a public key is the asymmetric encryption method).
You can use a private key to access your instances securely. You store the private key in your local computer and EC2 instances store the public key. EC2 instances get the public key contents from the metadata of the instance and store it in a file named “authorized_keys” under “/home/ec2-user/.ssh” directory.
When connecting to an instance, you must specify the name of the private key and its directory. This command is used for connecting to a linux instance via ssh:
(ssh -i “mk.pem” firstname.lastname@example.org)
The name of the private key (mk.pem) is specified in the command and we have the private key in the current directory.
If your current directory is different from the directory of the private key, you can use an absolute and relative path to define the directory of the private key.
Wondering How To Create Key Pairs?
We’ll show you three ways of creating key pairs. One method is to run the “ssh-keygen” command and the other ways will be set up from the AWS Console.
ssh-keygen is a command/tool (OpenSSH format) for generating authentication key pairs for SSH.
SSH supports other public key algorithms (rsa, dsa, ecdsa, ed25519) for key pairs (in this article we will use rsa.) You can use the “ssh-keygen -m PEM” command for generating a new set of key pairs. By default, the command creates a private key whose name is “id_rsa” and a public key whose name is “id_rsa.pub” (NOTE – you can change the name of key pairs). After you run the command, it asks where to save the file. Best practice – store key pairs in the .ssh directory under the user’s home directory locally. After that, you need to import your Public key contents from your local computer to AWS. Then you can easily access your EC2 instance with created key pairs.
The first way you can create a key pair from the AWS console is to create a key pair when you are launching your EC2 instances. The picture shows the last step (Step 7: Review Instance Launch) of launching an instance. You can create your key pair with “Select an existing key pair or create a new key pair” pop-up window. First choose the “Create a new key pair” then write the name of the key pair and click the “Download Key Pair”. You need to download the file because you will not be able to download it again after it is created.
The second way you can create a key pair is to use the EC2 console. Open the EC2 console. In the navigation pane, under the NETWORK & SECURITY, click “Key Pairs”. Then, in the upper right corner of the page click “Create Key Pair.”
Write the name of the key pair and choose file format. Pem file format is used with OpenSSH and ppk file format is used with PuTTY. Now you can click “Create key pair” button.
There is another way to get the contents of the public key…
First, launch an EC2 instance with the private key that you want to import to another region and connect that instance via ssh. Under the home directory of ec2-user, there is a hidden “.ssh” directory. Under the “.ssh” there is a file whose name is “authorized_keys” that stores contents of the public key. You can also see your public key contents in the metadata of the instance with this command “TOKEN=`curl -X PUT “http://169.254.169.254/latest/api/token” -H “X-aws-ec2-metadata-token-ttl-seconds: 21600″` && curl -H “X-aws-ec2-metadata-token: $TOKEN” -v http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key”.
In our example, we have successfully imported our key pair from N.Virginia region to Ohio region. We can use the same key in both regions (N.Virginia and Ohio)
Here’s How to Import The Key Pair To Another Region
You may want to move the key pair to other regions for a number of reasons. You can import key pairs to another region in the EC2 console.
Example: We created our key pair (mk-second) in N.Virginia and we want to import it to the Ohio region. Open the EC2 console – in the navigation pane under the NETWORK & SECURITY click “Key Pairs” for both of the regions. We will import a mk-second key pair (in N.Virginia) to the Ohio region. (We do not have any key pairs in the Ohio region.)
Switch to the Ohio region and open the EC2 console and in the navigation pane under the NETWORK & SECURITY click “Key Pairs”. In the upper right corner of the page, click “Actions” button and choose “import key pair”.
Write the same name of the key pair created in N.Virginia region. After that, if you have your public key file you can select it with the “Browse” button or paste the contents of the public key into the text box. You can generate your public key with this command “ssh-keygen -y -f mk-second.pem > $HOME/.ssh/mk-second.txt” in the directory of your private key file.
This command will save your public key as an mk-second.txt file. You can browse and select mk-second.txt file or copy and paste the content of mk-second.txt file into text box. Then, click “Import key pair” button.