How to Add Your EC2 PEM File to Your SSH Keychain
When you create a new instance in EC2, you’ll be given a PEM file that acts as your access key. You’ll have to use this to SSH into the server, so you’ll want to add it to your keychain for easy access.
How To Use Your PEM File
You can use PEM files manually by adding the
-i flag to ssh:
ssh -i keyfile.pem user@host
This is unwieldy to type every time, so there are a few ways to fix this.
The simplest method would be to add your own public keys to your EC2 instance, and ignore the PEM file for all future logins. Your public key is usually stored in
~/.ssh/id_rsa.pub, so you’ll want to copy that into the
~/.ssh/authorized_keys file on the server. If you’re a one man team simply running one server, and don’t mind doing this each time, this is all you have to do.
However, you’ll have to go through this process each time you create a new instance. But with PEM files, you can reuse them between instances. Also, they’re independent of your personal private keys, so you can give them to other people who need ssh access.
ssh-add command will store a key in your SSH agent until you log out:
However, you’ll need to run this on every reboot, so it’s not ideal. You can add this to your
~/.bash_profile to run every time you boot up the terminal, which solves the issue. Make sure to redirect output to
/dev/null to silence the command, or you’ll see “Identity Added” every time you open the terminal.
ssh-add ~/keyfile.pem >/dev/null 2>&1
Store SSH Keys In macOS Keychain
If you’re on macOS, you can store additional SSH keys in the macOS Keychain. Open up
~/.ssh/config and add the following lines:
Host * UseKeychain yes
You can now add keys with
ssh-add -K ~/keyfile.pem
The keys will be stored in the keychain and persist across reboots. They will be automatically loaded just like
Replace id_rsa With Your New Key
While this option does work, it’s not really something we recommend. But, if for some reason you really want your AWS private key to be your new personal private key, you can replace
id_rsa with the PEM file from AWS.
id_rsa is loaded by default, so you’ll default to using this key for everything.
Make absolutely certain you aren’t using your current private key for anything (SSH to other servers, GitHub, etc). Even if you think you aren’t, you should back up your current SSH keys before proceeding:
mv ~/.ssh/id_rsa ~/.ssh/id_rsa_old mv ~/.ssh/id_rsa.pub ~/.ssh/id_rsa_old.pub
The AWS PEM file needs to be converted to PKCS8 format to be used as a private key. You can do this with OpenSSL:
openssl pkey < keyfile.pem > keyfile.pkcs8
Then, you’ll need to generate the corresponding public key, again using OpenSSL
openssl rsa -in keyfile.pkcs8 -pubout > keyfile.pub
Then, making sure you’ve backed up your old
id_rsa, you can replace them with your new ones:
mv keyfile.pkcs8 ~/.ssh/id_rsa mv keyfile.pub ~/.ssh/id_rsa.pub