CFDDFC on AWS: Create an SSH Key Pair

SSH authentication

An AWS EC2 instance is accessed securely using SSH (Secure Shell) with public key authentication using a key pair. A key pair is two keys, stored as files, that are related to one another. One key is public, the other private. Anyone with the public key can encrypt data which can only be read by someone with the private key. As well as providing encryption, possession of the private key can also be used as proof of identity, i.e. authentication.

Each instance is associated with a key pair that controls access to it, selected during the launch process. The public key remains at AWS and is attached to the instance. The private key must be stored by the user to authenticate their access to the instance. The key pair uses the RSA (Rivest–Shamir–Adleman) encryption in the general PEM (Privacy-Enhanced Email) format, so files typically carry a .pem extension, e.g. awskey.pem. Key pairs are associated with a specific EC2 region.

Generating a Key Pair in AWS

Key file permissions

The private key must be stored in a suitable location on the user’s computer. Since the private key file provides proof of identity, there are usually strict rules imposed on file permissions of the key.

Linux and macOS systems

Linux and macOS systems use UNIX-inspired file systems. SSH key files are generally stored in a “.ssh” directory in the user’s home directory. The user can create the directory if it does not exist by the command (if it exists, it will return a message to confirm):

mkdir ~/.ssh

It is recommended that only the user has permission to access that directory, which can be set by the command:

chmod 700 ~/.ssh

The file permission must be set to read for the user only. For a key pair file named awskey.pem file in a .ssh directory, use the command:

chmod 400 ~/.ssh/awskey.pem

MS Windows systems

Windows 10 can follow the same instructions as above when using WSL (see above). On the Linux subsystem, follow the “mkdir ~/.ssh” and “chmod 700 ~/.ssh” commands to configure the ~/.ssh directory, then copy the key file into it by the command (example uses the file location example above):

cp /mnt/C:/Users/john/awskey.pem ~/.ssh/

Otherwise, ssh can be run from the cmd Command Line. The key file is then stored on the Windows NTFS (New Technology File System) which has more complex access control lists (ACLs) and its Active Directory service. The permissions of the key file must be user-only which can be checked using the Windows file browser. They can be set using icacls in cmd as follows: for user name “john” with a key file awskey.pem stored in the home directory C:/Users/john on the C: drive, enter the commands, in order:

icacls C:/Users/john/awskey.pem /inheritance:r /deny "*S-1-1-0:f"
icacls C:/Users/john/awskey.pem /inheritance:r /grant:r john:f

Remember to replace the user name john and the path and key file name awskey.pem to suit your circumstances. When using ssh on the Windows Subsystem for Linux, it is logical to copy the key file from the Windows filing system to a ~/.ssh directory on the Linux file system. From the terminal within the Linux subsystem, follow the “mkdir ~/.ssh” and “chmod 700 ~/.ssh” commands above to configure the ~/.ssh directory, then copy the key file into it bythe command (using the file location example above):

cp /mnt/C:/Users/john/awskey.pem ~/.ssh/

Further Information

See Creating Your Key Pair Using Amazon EC2 and Connect to your Linux instance from Windows using WSL.

Next Step → Launch an Instance