Amazon EC2: How to import Key Pairs

by Alexander Weiß

In the Amazon EC2 cloud you can access instances when you have the right private key. The Key Pair, which consists of one public and one private key, is automatically generated when you launch an instance. But you can also import self-generated keys and in certain circumstances self-generated Key Pairs are the better choice.

It is pretty convenient to use the Key Pairs Amazon creates for you, when you launch an instance. But for some people this approach opens up some security risks. There are two major factors which can pose a threat to your security:

  1. If Amazon generates the Key Pairs they also generate the private key file. In theory they could save the private key file and gain access to your instance. Amazon clearly states, though, that they don’t save the key. But if you want to be really paranoid you have to decide to not believe them. 😉
  2. If the Key Pairs is created by Amazon, the private key file has to find its way to your computer. A secured network connection is used to transfer the key over the internet to your computer, but there are proof of concepts which show, that the so called secure network connection doesn’t exists anymore. If a very high security standard is one of your priorities you should avoid sending your private keys over the internet.

There are two other points which might convince you of using self-generated Key Pairs:

  1. If you use the keys Amazon provides, you can only use them for one region. If you have to manage instances across several regions it might be a lot easier to use only one Key Pair.
  2. You can instantly use the self-generated key to manage new EC2 instances. E.g. if you often use shell tools or if you have some scripts you can use the same parameter for the –i option in tools like ssh or scp.

How to generate Key Pairs

First you have to generate the Key Pair. Under Windows you can use the tool puTTYgen. You can download it here.  It runs without a setup, so you can use it immediately. After you launch it you have to click the “Generate” button. But before you generate the key, make sure that the parameter “SSH-2 RSA” is checked. “SSH-2 DSA” is not support by AWS and “SSH-1 RSA” is outdated.

During the generation of the Key Pair you have to move your mouse around a bit. But after a few seconds you should see a screen like this:

Amazon EC2 How to genreate a Key Pair

Amazon EC2 How to genreate a Key Pair

Now you should fill in the row “Key comment” and enter a strong passphrase. I really recommend to write something meaningful into the comment field. In my past years I often stumbled about key pairs which didn’t have a meaningful comment field. In this case it is next to impossible to figure out what purpose this key had unless there is some documentation available.

Now you have to save the public and the private key file. Store the private key in a safe place and make a backup. If you lose it, you are locked out of your instances. If somebody else gets the key into his hands he can get unlimited access to your instances.


How to import Key Pairs

To use your self-generated keys with Amazon EC2 instances you have to import it. This can be done easily through the Amazon EC2 Management Console. Open it and navigate to the “Key Pairs” section. The “Import Key Pair” button is prominently located in the action bar.

Amazon EC2 How to import Key Pair

Amazon EC2 How to import Key Pair

Click and the following dialogue will pop up:

Amazon EC2 How to import Key Pair dialogue

Amazon EC2 How to import Key Pair dialogue

Under “Load public key from file” choose the public key file you just created. For the “Keypair Name” value you should choose something meaningful again. The name should help you to remember which purpose this key has.

Now you are ready to use your Key Pair. Just make sure you select it during the launch of an instance. If you want to use them with your existing instances, you have to add the public key to the .authorized- key file.

If you prefer the API Tools, you have to use the command “ec2-import-keypair”:

ec2-import-key-pair –region “ec2 region” –public-key-file  “your public key file” “name of the Key Pair”

If you want to import this Key Pair into all regions you can write a small script using the “ec2-describe-regions” command.

If you haven’t thought about using self-generated keys so far, now would be a good time to reconsider it. In my opinion they have some benefits and the costs of generating them are minimal, because it consumes almost no time.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)