Password protect a pem file

Asked 1/12, 2017 at 18:37 Answered 9/10, 2018 at 19:39

Solved amazon-web-services encryption amazon-ec2 pem ssh-keygen

I'd like to SSH into my EC2 instance with a password protected pem file. How do I password protect a pem file? I've done this in the past but can't remember how I did it. I took a pem file generated by AWS and ran some command on it and it generated something that looked like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<BlahBlahBlah>

<encrypted stuff is here>

-----END RSA PRIVATE KEY-----

Then when I SSH into the box, i'm specifying my password protected pem file and it asks me to enter the password before decrypting and sshing in.

I found this: https://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html

Which tells me to use this command

ssh-keygen -t rsa -N 'super secret passphrase' -f test_rsa_key

But the resulting encrypted file (that has the correct header i'm looking for) doesn't seem to work. I'm getting "Permission denied (publickey)." when I try to ssh using that encrypted pem file. I am able to SSH into the box with the unencrypted pem file.

Hello answered 1/12, 2017 at 18:37 Comment(0)

It is because the command you are using generates a new key pair instead of protecting your existing private key.

Try using -p option of ssh-keygen

ssh-keygen -p -f my_private_key

It will prompt you for passphrase and protect your private key.

Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

Now if you use my_private_key in ssh, it will prompt for passphrase and it will succeed.

 -p      Requests changing the passphrase of a private key file instead of
         creating a new private key.  The program will prompt for the file
         containing the private key, for the old passphrase, and twice for
         the new passphrase.

Domesday answered 2/12, 2017 at 1:24 Comment(5)

Awesome, that worked! Thanks. Any ideas why my pem file from one region won't work on the other region? I asked around and it seems that it should work. I even selected "Use already existing pem file" and had to check the box saying yes I have the pem file. – Hello 2/12, 2017 at 1:51

The private keys are not shared between regions unless you uploaded the same corresponding public key in all regions. – Domesday 2/12, 2017 at 1:55

Not shared between regions despite them giving me the option to select it? Maybe I missed some detail that said I needed to upload the public key. I assumed I didn't need to when they let me select it – Hello 2/12, 2017 at 2:38

@Hello what is giving you the option to select it? Are you in the AWS console? Keypairs are regional. If you're launching in us-west-1 and using the EC2 launch wizard in the AWS console, then you'll only see keypairs that are relevant to us-west-1. LIkewise for other regions. – Unlikelihood 2/12, 2017 at 17:17

I'll send you a screenshot if I get the chance, at the very end of setting up an EC2 instance it asks to create a new pem file or select an already existing one. Even on another region it gave me the option of selecting an already existing one (one that i created on another region). But then it didn't work... Which was odd. – Hello 7/12, 2017 at 6:24

You can install and use the puttygen:

sudo apt install putty

And to generate your key protected, execute this:

puttygen KEY_PAIR_PRIVATE.pem -O private-openssh -o KEY_PAIR_PRIVATE.key -P

The option -P is to set a new passphrase to private key.

P.S: You will probably need to set a permission to use the key, like this:

sudo chmod 755 KEY_PAIR_PRIVATE.key

And finally you can access your aws instance safely:

ssh -i KEY_PAIR_PRIVATE.key ubuntu@IP_EC2_INSTANCE_OR_HOSTNAME

Citarella answered 9/10, 2018 at 19:39 Comment(0)

Recommended topics

Hot tags