AWS EC2 key pairs and Linux instances
Amazon EC2 uses public key cryptography to encrypt and decrypt login information. Public key cryptography uses a public key to encrypt a piece of data, and then the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair. Public key cryptography enables you to securely access your instances using a private key instead of a password.
The keys that Amazon EC2 uses are 2048-bit SSH-2 RSA keys. You can have up to 5,000 key pairs per Region. Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt your login information, so it's important that you store your private keys in a secure place.
Because Amazon EC2 doesn't keep a copy of your private key, there is no way to recover a private key if you lose it. However, there can still be a way to connect to instances that use a lost key pair. For more information, see Connecting to your Linux instance if you lose your private key. When you launch an instance, you are prompted for the name of a key pair. For more information, see Step 7: Review Instance Launch and Select Key Pair. If you plan to connect to the instance using SSH, you must specify a key pair. At boot time, the public key content is placed on your Linux instance in an entry within ~/.ssh/authorized_keys. When you connect to your Linux instance using SSH, you must specify the private key that corresponds to the public key content to log in. For more information about connecting to your instance, see Connect to your Linux instance.
To create your key pair
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under NETWORK & SECURITY, choose Key Pairs.
3. Choose Create key pair.
4. For Name, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you
specify as the key name. A key name can include up to 255 ASCII characters. It can’t include leading or trailing
spaces.
5. For File format, choose the format in which to save the private key. To save the private key in a format that can be
used with OpenSSH, choose pem. To save the private key in a format that can be used with PuTTY, choose ppk.
6. Choose Create key pair.
7. The private key file is automatically downloaded by your browser. The base file name is the name you specified as the
name of your key pair, and the file name extension is determined by the file format you chose. Save the private key file in a safe place.
Important
This is the only chance for you to save the private key file.
8. If you will use an SSH client on a macOS or Linux computer to connect to your Linux instance, use the following command to set the permissions of your private key file so that only you can read it.
chmod 400 my-key-pair.pem
If you do not set these permissions, then you cannot connect to your instance using this key pair. For more information, see Error: Unprotected private key file.