85

Where should I keep this file for security? At the moment it is on my desktop - should I put it somewhere else?

leblaireau
  • 1,133
  • 4
  • 10
  • 13

2 Answers2

123

The 'standard' location would be a .ssh directory in your $HOME. i.e.

/Users/$USER/.ssh/

You should protect this directory with permissions 700. You can set up a config file to automatically use the .pem, and set the username when sshing to EC2 instances as explained here.

David Beauchemin
  • 231
  • 1
  • 2
  • 12
Daniel Scott
  • 7,418
  • 5
  • 39
  • 58
  • 11
    The `chmod 700 yourfile.pem` is truly needed. I got the following message today: `Permissions 0644 for 'TestKeys.pem' are too open.`. After changing the permissions, it worked just fine. – Jonathan Soifer Sep 12 '16 at 10:07
  • Actually: isn't 600 enough? – Jonathan Soifer Sep 12 '16 at 10:08
  • 600 has fewer permissions, and would prevent you from running an 'ls' in the .ssh directory. – Daniel Scott Sep 12 '16 at 18:34
  • I'm really interested in this: setting a 600 permission for the .pem file will prevent me from running an `ls` command in the `.ssh` directory? How does that work? – Jonathan Soifer Sep 12 '16 at 19:18
  • 7
    Getting well off topic here, but 600 is -rw------, and 700 is xrw------. On a directory, the execute bit allows you to list the contents of the directory: http://unix.stackexchange.com/questions/21251/how-do-directory-permissions-in-linux-work – Daniel Scott Sep 13 '16 at 08:33
  • Thank you for the patience. Maybe we should delete these comments now. You were referring to the directory, I was thinking about the file. I protected the file with 600 :) – Jonathan Soifer Sep 13 '16 at 09:35
  • Is Amazon's direction to use 400 not ok? – NathanQ May 02 '17 at 15:53
  • 400 for the directory might not work... Depends on whether your SSH client tries to list the directory contents – Daniel Scott May 02 '17 at 16:48
  • Is putting this key in CodeCommit safe? – Shamal Karunarathne Mar 18 '18 at 03:43
  • 2
    @ShamalKarunarathne no, it's your private key. If you must store/back it up then you should use KMS or vault or some other secrets storage system – Daniel Scott Mar 18 '18 at 10:34
0

For AWS Cloud People and Local - MAC users, i would like to give more detailed explanation. Let's say you downloaded "foo.pem" file to your desktop and you want to hide and secure the file so no one can access except you, and whenever you want to connect an EC2 instance, you want to find the file easily. I try to explain how you can solve this step by step (Assuming foo.pem file in your desktop)

cd desktop
cp foo.pem ~/.ssh/
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/foo.pem

the first step, we are in the same directory with pem file. Second step, we copy the file into .ssh directory, third and fourth step is for directory and file permissions (secure industry standards). In order to verify if everything is ok:

cd ~/.ssh/
ls

If you can see the pem file then it is ok. If you have a backup (I assume you have),then you can delete the pem file in your desktop. Now i hear the question. How can we reach the foo.pem file in order to connect ec2 instance.The answer is :

ssh -i ~/.ssh/foo.pem user@<instance-ip-address>

I hope it helps.

Utku Can
  • 683
  • 3
  • 12