14

I'd like to SSH into my EC2 instance with a password protected pem file. How do I password protect a pem file? I've done this in the past but can't remember how I did it. I took a pem file generated by AWS and ran some command on it and it generated something that looked like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<BlahBlahBlah>

<encrypted stuff is here>

-----END RSA PRIVATE KEY-----

Then when I SSH into the box, i'm specifying my password protected pem file and it asks me to enter the password before decrypting and sshing in.

I found this: https://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html

Which tells me to use this command 

ssh-keygen -t rsa -N 'super secret passphrase' -f test_rsa_key

But the resulting encrypted file (that has the correct header i'm looking for) doesn't seem to work. I'm getting "Permission denied (publickey)." when I try to ssh using that encrypted pem file. I am able to SSH into the box with the unencrypted pem file.

LampShade
  • 2,675
  • 5
  • 30
  • 60

2 Answers2

25

It is because the command you are using generates a new key pair instead of protecting your existing private key.

Try using -p option of ssh-keygen

ssh-keygen -p -f my_private_key

It will prompt you for passphrase and protect your private key.

Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

Now if you use my_private_key in ssh, it will prompt for passphrase and it will succeed.

 -p      Requests changing the passphrase of a private key file instead of
         creating a new private key.  The program will prompt for the file
         containing the private key, for the old passphrase, and twice for
         the new passphrase.
helloV
  • 50,176
  • 7
  • 137
  • 145
  • Awesome, that worked! Thanks. Any ideas why my pem file from one region won't work on the other region? I asked around and it seems that it should work. I even selected "Use already existing pem file" and had to check the box saying yes I have the pem file. – LampShade Dec 02 '17 at 01:51
  • 1
    The private keys are not shared between regions unless you uploaded the same corresponding public key in all regions. – helloV Dec 02 '17 at 01:55
  • Not shared between regions despite them giving me the option to select it? Maybe I missed some detail that said I needed to upload the public key. I assumed I didn't need to when they let me select it – LampShade Dec 02 '17 at 02:38
  • @LampShade what is giving you the option to select it? Are you in the AWS console? Keypairs are regional. If you're launching in us-west-1 and using the EC2 launch wizard in the AWS console, then you'll only see keypairs that are relevant to us-west-1. LIkewise for other regions. – jarmod Dec 02 '17 at 17:17
  • I'll send you a screenshot if I get the chance, at the very end of setting up an EC2 instance it asks to create a new pem file or select an already existing one. Even on another region it gave me the option of selecting an already existing one (one that i created on another region). But then it didn't work... Which was odd. – LampShade Dec 07 '17 at 06:24
0

You can install and use the puttygen:

sudo apt install putty

And to generate your key protected, execute this:

puttygen KEY_PAIR_PRIVATE.pem -O private-openssh -o KEY_PAIR_PRIVATE.key -P

The option -P is to set a new passphrase to private key.

P.S: You will probably need to set a permission to use the key, like this:

sudo chmod 755 KEY_PAIR_PRIVATE.key

And finally you can access your aws instance safely:

ssh -i KEY_PAIR_PRIVATE.key ubuntu@IP_EC2_INSTANCE_OR_HOSTNAME
cdvillagra
  • 112
  • 1
  • 2