What is “Key pair”? Why we need it and how to create one ?

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

Hi everyone, I'm Nghi. I am going to start my series of blogs about technologies and especially about AWS from now on. So please support me!

In this very first blog, I want to write about Key Pairs a lot because while creating an EC2 Instance, I had some troubles with them and it encouraged me to do research about the reasons and also the method to solve the problem. It makes me want to write about it and I can share my own experiences. Let's start!!

1. What is "Key Pair"?

First of all, we will find out the meaning and the function of "Key Pairs" while creating an Instance, In this case,  I will use one of Amazon EC2.

Amazon implemented public key-based technology to encrypt and decrypt information. To do that, it uses a pair of keys: Public key and Private key. Then the client will have the Private key and uses it to decrypt the data which is encrypted by the server.

To be able to login to an EC2 Instance, you must create a "Key Pair" and specify the name of that "Key Pairs". Then, you will use the Private Key to connect to that EC2 Instance.

In this case, we see that using a private key instead of using a password will ensure higher security level of your Linux EC2 Instance.

2.Directory:

On Linux EC2 Instance , the public key will be located at ~/.ssh/authorized_keys. This will ensure that the users with corresponding private key have access to the instance. 

On your local computer, you will specify the location of the key, while connecting to the EC2 Instance.

3. How to create Amazon EC2 Key Pairs:

I will talk about all 3 ways depending on whether if you already have your own key pairs for the last step of creating an EC2 Instance

We have 3 choices:

  • Choose an existing key pair
  • Create a new key pair
  • Proceed without a key pair: I If you choose this one, you could register to create a key pair laterDon’t worry, I had made a mistake with this step, too.  

Usually, we will choose to create a new key pair for the very first time launching an EC2 Instance.

a)Create a new key pair: It is the easiest way to create a new key pair that will be used to connect to your EC2 Instance. After filling in the Key pair name field, just Download the Key pair and it will be saved to "Download" folder on your computer, you can move it later to another location

b)Choose an existing key pair: select a key pair from the list of key pairs shown below

4.Two ways to "Create new key pair" if you choose "Proceed without a key pair"

You must have the key pair while connecting to your EC2 Instance because of security issues. And I will show you 2 way to create:

a)From the management console at https://console.aws.amazon.com/ec2/ : Create a new key pair

Step 1: Choose Key Pairs option from Sidebar at Network & Security tab

Step 2 : Choose the orange button named Create key pair on the top right

Step 3 : Enter the key pair name and choose Create a key pair. We have 2 options for file format ( pem and ppk). This topic is also interesting, too and I will write another blog about it later! But soon!

 

b)From the management interface at https://console.aws.amazon.com/ec2/ : Import key pair

But before doing this action, you have to create SSH Keys already.

Using Amazon EC2 Instance Connect for SSH access to your EC2 Instances

 

5. How I solved my missing key pair problem :

In fact, it is also another method to recover your EC2 Instance key pair when you lost it. We have another easier way to do but I want to challenge myself to discover more EC2 Instance so I do this test ?

Once an instance has been started, there is no way to change the key pair associated with the instance at a metadata level, but you can change what ssh key you use to connect to the instance. So, If you want to change what ssh key you use to access that instance, you need to edit the authorized_keys file on the instance itself and replace the old one with your new ssh public key. your new ssh public key. The authorized_keys file is under the .ssh subdirectory under the home directory of the user you are logging in as. And in my case, it was under: " /home/ec2-user/.ssh/authorized_keys

Now my EC2 Instance has no key pair because I chose "Proceed without Keypair"

In fact, you can follow this link to replace your lost key pair of your EC2 Instance

Amazon EC2 key pairs and Linux instances

 

Step 1: Stop the running EC2 Instance

Step 2 : Detach its root volume

In the navigation pane, choose Volumes

Select a volume and choose ActionsDetach Volume.

In the confirmation dialog box, choose Yes, Detach.

I named this detached volume "VULNERABLE VOLUME" 

Step 3 : Start a new EC2 Instance, using your available key pair. But we need to take attention to Subnet ID to make sure that they have the same subnet ID as the existing one. I call this new EC2 Instance is "doctor"

 

Step 4: Launching a new EC2 Instance called "Doctor" which has the same Subnet ID that I mentioned above, attach "Vulnerable volume" to "Doctor"

Step 5: SSH to "Doctor" and mount "Vulnerable volume" to /mnt/tmp

*/mnt/tmp : is the directory to save "vulnerable volume" and "cure" it before attach back to the "patient EC2 Instance". You can name whatever you want.

[$sudo mount /dev/sdf /mnt/tmp]

Step 6: Copy ~/.ssh/authorized_keys to /mnt/tmp/home/ubuntu/.ssh/authorized_keys

=> Unmount it and logout

Step 7: Detach "Vulnerable volume" from "Doctor"

Step 8: Attach "Vulnerable Volume" back to main EC2 Instance as the root name of main EC2 Instance before detaching, which in my case was:

Step 9 : Start the "Patient" EC2 Instance

Step 10: Connect to main EC2 Instance using the key pair name ?

Use this command to check the registered key pair:

 

I created a chart by draw.io to make the idea clear ?

Thanks for your attention!

 

It took me much time to do research about this theme and I discovered much new things about Amazon EC2. That's great because I want to gain as much knowledge as possible in this field and practicing is the best route to achieve satisfactory results.

Sure, this is not the most efficient method to solve the problem. We have others ways to solve it and I will write more about it! ?

 

Please support me, let's acquiring more knowledge together!