Reputation: 2775
Password protect a pem file
I'd like to SSH into my EC2 instance with a password protected pem file. How do I password protect a pem file? I've done this in the past but can't remember how I did it. I took a pem file generated by AWS and ran some command on it and it generated something that looked like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<BlahBlahBlah>
<encrypted stuff is here>
-----END RSA PRIVATE KEY-----
Then when I SSH into the box, i'm specifying my password protected pem file and it asks me to enter the password before decrypting and sshing in.
I found this: https://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html
Which tells me to use this command
ssh-keygen -t rsa -N 'super secret passphrase' -f test_rsa_key
But the resulting encrypted file (that has the correct header i'm looking for) doesn't seem to work. I'm getting "Permission denied (publickey)." when I try to ssh using that encrypted pem file. I am able to SSH into the box with the unencrypted pem file.
Upvotes: 13
Views: 26948
Answers (2)
Reputation: 122
You can install and use the puttygen:
sudo apt install putty
And to generate your key protected, execute this:
puttygen KEY_PAIR_PRIVATE.pem -O private-openssh -o KEY_PAIR_PRIVATE.key -P
The option -P is to set a new passphrase to private key.
P.S: You will probably need to set a permission to use the key, like this:
sudo chmod 755 KEY_PAIR_PRIVATE.key
And finally you can access your aws instance safely:
ssh -i KEY_PAIR_PRIVATE.key ubuntu@IP_EC2_INSTANCE_OR_HOSTNAME
Upvotes: 1
Reputation: 52423
It is because the command you are using generates a new key pair instead of protecting your existing private key.
Try using -p option of ssh-keygen
ssh-keygen -p -f my_private_key
It will prompt you for passphrase and protect your private key.
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
Now if you use my_private_key in ssh, it will prompt for passphrase and it will succeed.
-p Requests changing the passphrase of a private key file instead of
creating a new private key. The program will prompt for the file
containing the private key, for the old passphrase, and twice for
the new passphrase.
Upvotes: 25
Related Questions
- Correct PEM format for a file in AWS Secrets Manager
- generate pem File for EC2 Instance at Amazon
- SSHing from AWS Instance to AWS Instance using .pem asks for passphrase
- connecting via ssh using pem file
- Encrypting Ansible Playbook .pem private key with ansible-vault
- How can I use Jenkins to SSH into an EC2 Instance with a private key pem file which is password protected
- Where is my pem key file on EC2?
- AWS EC2 pem key in txt
- Accessing AWS ssh cluster using the pem file
- AWS EC2: generating private key file out of cert-***.pem for SSH terminal access