Proxy Instance Keypairs

This document describes AWS keypair creattion and validation from the command line.

Creating the Key Pair from the command line

This creates the keypair file in pem format that will allow you ssh into an EC2 instance.

aws ec2 create-key-pair --key-name test-key \
    --region ap-southeast-2 --profile sydney-profile \
    --query 'KeyMaterial' --output text > test-key.pem

This command creates a keypair file in unencrypted PEM encoded PKCS#1 format. This file cannot be directly used to ssh into an EC2 instance. You will have to extract the key material as explained below.

aws ec2 create-key-pair --key-name test-key \
    --region ap-southeast-2 --profile sydney-profile \
    > test-key.pkcs

less test-key.pkcs

{
    "KeyFingerprint": "d1:41:9d:bc:77:e4:6f:7c:ac:96:e8:9a:51:ff:6e:0f:6f:0c:5a:94",
    "KeyMaterial": "-----BEGIN RSA PRIVATE KEY-----
    ...............
    -----END RSA PRIVATE KEY-----",
    "KeyName": "test-key",
    "KeyPairId": "key-02b347326d6c7ae29"
}

This is one way you can extract the "KeyMaterial" for a PKCS#1 format into a PEM format required by AWS.


cat test-key.pkcs | jq -r ".KeyMaterial" > test-key.pem

Importing an Existing Key

You can import and existing key into multiple accounts/regions.

Generate Key

ssh-keygen -P "" -t rsa -b 4096 -m pem -C "[email protected]" -f test-import-key



ls -alt test-import*
-rw-r--r--  1 aazpszz  MMM\Domain Users   748 May 25 11:48 test-import-key.pub
-rw-------  1 aazpszz  MMM\Domain Users  3243 May 25 11:48 test-import-key

Rename Private Key and fix Permissions


mv test-import-key test-import-key.pem
chmod 400 test-import-key*

ls -alt test-import*
-r--------  1 aazpszz  MMM\Domain Users   743 May 25 11:57 test-import-key.pub
-r--------  1 aazpszz  MMM\Domain Users  3243 May 25 11:57 test-import-key.pem

Import Key


aws ec2 import-key-pair \
    --region ap-southeast-2 --profile sydney-profile \
    --key-name "test-import-key" --public-key-material fileb://./test-import-key.pub

{
    "KeyFingerprint": "27:96:f7:28:e9:66:4f:f8:64:bb:d6:2b:0c:1f:c9:21",
    "KeyName": "test-import-key",
    "KeyPairId": "key-0e9586ece18927c29"
}

Keypair Fingerprint Validation

This command lists the key metadata stored in AWS including the fingerprint you can use to verify you local private key.

# Created by AWS

aws ec2 describe-key-pairs --key-name test-key \
   --region ap-southeast-2 --profile sydney-profile 
{
    "KeyPairs": [
        {
            "KeyPairId": "key-02b347326d6c7ae29",
            "KeyFingerprint": "d1:41:9d:bc:77:e4:6f:7c:ac:96:e8:9a:51:ff:6e:0f:6f:0c:5a:94",
            "KeyName": "test-key",
            "Tags": []
        }
    ]
}

# Imported into AWS

aws ec2 describe-key-pairs --key-name test-import-key \
>    --region ap-southeast-2 --profile sydney-profile
{
    "KeyPairs": [
        {
            "KeyPairId": "key-0dbad55b30e854e22",
            "KeyFingerprint": "27:96:f7:28:e9:66:4f:f8:64:bb:d6:2b:0c:1f:c9:21",
            "KeyName": "test-import-key",
            "Tags": []
        }
    ]
}

This is how you can verify that your private key matches the fingerprint from "describe-key-pairs" or the console. For a key created in the console or via the create-keypair command, AWS uses the private key to create the fingerprint. For an imported key, AWS uses the public imported key to generate the fingerprint.


# Fingerprint for Private key created via console or create keypair CLI

openssl pkcs8 -in test-key.pem -nocrypt -topk8 -outform DER | openssl sha1 -c

d1:41:9d:bc:77:e4:6f:7c:ac:96:e8:9a:51:ff:6e:0f:6f:0c:5a:94

# Fingerprint for Public key imported into AWS

openssl rsa -in  test-import-key.pem -pubout -outform DER | openssl md5 -c
writing RSA key

27:96:f7:28:e9:66:4f:f8:64:bb:d6:2b:0c:1f:c9:21d

Storing and Retrieving Private Keys in SSM Parameters

This s a great wasy to keep track of you private keys, especially if you are creating a lot accounts.

You do need to consider who would have access to the SSM parameter. Of course this can be protected by a KMS key only available to a limited set of users.

Storing Key in SSM


# Check fingerprint

openssl pkcs8 -in test-key.pem -nocrypt -topk8 -outform DER | openssl sha1 -c
d1:41:9d:bc:77:e4:6f:7c:ac:96:e8:9a:51:ff:6e:0f:6f:0c:5a:94

aws  ssm put-parameter \
    --region ap-southeast-2 --profile sydney-profile \
    --name "/ec2/private_key/test-key" \
    --type "SecureString" \
    --value "$(cat test-key.pem)"

Getting private key from SSM and generating public key

aws  ssm get-parameter \
    --region ap-southeast-2 --profile sydney-profile \
    --name "/ec2/private_key/test-key" \
    --with-decryption \
    --output text --query Parameter.Value >test-key.pem

chmod 400 test-key*
ssh-keygen -y -f test-key.pem > test-key.pub
chmod 400 test-key*

# Check fingerprint

openssl pkcs8 -in test-key.pem -nocrypt -topk8 -outform DER | openssl sha1 -c
d1:41:9d:bc:77:e4:6f:7c:ac:96:e8:9a:51:ff:6e:0f:6f:0c:5a:94

Deleting Key Pairs

aws2 ec2 delete-key-pair --key-name test-import-key  \
    --region ap-southeast-2 --profile sydney-profile
aws2 ec2 delete-key-pair --key-name test-key  \
    --region ap-southeast-2 --profile sydney-profile

Recovering Lost Keys

Option 1) Retrieve from backup. Maybe you have a backup of the systems used to store the keys like "Time Machine/Reflect"

Option 2) Recreate Instances with new key

If you have the template used to create the Instances/ASG, it should be fairly easy to:

Create a new key
Update the CFN/Launch Config/ASG to point the new key
Re-create the instances

Option 3) Several other options provided by AWS
How can I connect to my Amazon EC2 instance if I lost my SSH key pair after its initial launch?

rjackson-dev-ops/AWS-EC2-keypair-command-line-creation-validation.md