The Amazon AWS Management console allows you to generate an SSH key for your account, however, since Amazon’s AWS eco-system is broken into geographic regions, you cannot generate a single key to be used in all regions, in addition to this, the security minded amongst you, may not be comfortable having AWS generate the private key that you will be using in your SSH key-pair.
To address both of these issues, you can generate your own SSH key-pair offline, and then upload only the public key to AWS. You still have to upload the same public key to each region in which you wish to launch instances, but you will be able to use the same key in all regions after you have done this once. From a security perspective, if you generate your own keys, then AWS will never see your private key, as you only have to upload your public key to AWS.
AWS SSH specification
Amazon allow you to upload your public key in a number of different formats, however, your SSH key must meet each of the following criteria to be accepted:
- It is an RSA SSH-2 key (DSA Keys, and SSH-1 keys are not supported)
- Amazon only support 1024, 2048 and 4096 key-lengths
- The key must be in OpenSSL format, Base-64 encoded DER format or SSH public key file format as defined in RFC4716
Generating your own SSH key
Generating your own SSH key is very straight forward, especially if you are using an Apple OSX machine, or a Linux machine, as the tools to do so are already on the operating system. On Windows it is slight more complicated, as it requires you to download and install a tool capable of generating an SSH key, fortunately their is no cost to doing so.
Using Linux or OSX
On Linux or OSX, you simply open a terminal and follow these steps (I always make 4096 bit SSH keys as they are the strongest ones you can get, and modern computers have no problem generating private keys this long, or authenticating with long keys):
$ ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/Users/coltoncat/.ssh/id_rsa): aws_ssh-key Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in aws_ssh-key. Your public key has been saved in aws_ssh-key.pub. The key fingerprint is: 89:b6:55:6a:f4:52:bf:a0:8a:92:21:d0:27:53:9a:67 coltoncat@MacBookPro.local The key's randomart image is: +--[ RSA 4096]----+ | | | . | | . + . o | |. * E o * . | |. * o S o . | |. . . + o . . | | . o . . . | | o . . | | .. . | +-----------------+ $
In this example, you are prompted for a name of your new private key. I named mine
aws_ssh-key, and you will see from the output above that the ssh-keygen program automatically names your public key, which you will upload to AWS
During this process you are prompted for an optional passphrase for your private key. It is a very good idea to include one, the private key will then be encrypted and you would need to provide the passphrase each time you use it to SSH to an AWS instance at a later time. This protects you in the event that someone else has access to your computer, and can find your private key and use that to get access to your ec2 instances.
If you are using Windows, you would need to obtain a piece of software to generate your private an public SSH key. By far the most commonly used, almost to the point of ubiquity, is Putty. Grab Putty from the Putty Download Page, to generate an SSH key you only need to download
puttygen.exe, however, you may as well download
putty.exe as well as it is a great SSH client.
Once you have dowloaded puttygen, run it, and you will be presented with the following screen:
On this screen, under the “parameters” section at the bottom of the screen, make sure that you have select “SSH-2 RSA” and that you set the “Number of bits in generated key” option to 4096. Once you have done this, click “Generate”, and you will be prompted to move your mouse around the blank part of the screen for a minute or so to create some entropy. Eventually, you will see that the key is being generated and putty will present you with the following screen:
Give the key a meaningful name in the “Key Comment” field — for example I called mine aws_ssh-key, and then be sure to specify a pass-phrase for your private key. You can save the private key by clicking the “Save Private Key” button. This will save a file with a .ppk extension, which is the format that Putty will use later on when you wish to connect to an instance using SSH.
As for the public key. That is displayed in the section “Key” and you can copy it from there and paste it somewhere safe to import into AWS, or you can use the “Save Public Key” function to save it to a file.
Importing the key
Login to the AWS Management Console and navigate to EC2 and then “Keypairs” under “Networking & Security” in the left menu panel. Click on the “Import Key Pair” button, and you can either load the public key from the file you saved it in, or you can give it a name and paste it into the “Public Key Contents” area in the popup screen.
You need to do this for each region in which you would like your key to be used, I just did it for each of the AWS regions, it only takes a few minutes, and then I know it will be ready for when I need to use it in the future.
Now you only need to make sure that you guard your private key file, make a copy onto USB media and keep is safe, as this is the only way that you will be able to login to your instances. If you lose this key, gaining access to your instance on AWS will result in downtime, and some possible dangerous file-system manipulation — you have been warned.