How to Add Your EC2 PEM File to Your SSH Keychain

How-To Geek

By Anthony Heddings

Published Apr 1, 2020

When you create a new instance in EC2, you'll be given a PEM file that acts as your access key.

Quick Links

How To Use Your PEM File

Store SSH Keys In macOS Keychain

Replace id_rsa With Your New Key

When you create a new instance in EC2, you'll be given a PEM file that acts as your access key. You'll have to use this to SSH into the server, so you'll want to add it to your keychain for easy access.

How To Use Your PEM File

You can use PEM files manually by adding the

-i

flag to ssh:

ssh -i keyfile.pem user@host

This is unwieldy to type every time, so there are a few ways to fix this.

The simplest method would be to add your own public keys to your EC2 instance, and ignore the PEM file for all future logins. Your public key is usually stored in ~/.ssh/id_rsa.pub, so you'll want to copy that into the ~/.ssh/authorized_keys file on the server. If you're a one man team simply running one server, and don't mind doing this each time, this is all you have to do.

However, you'll have to go through this process each time you create a new instance. But with PEM files, you can reuse them between instances. Also, they're independent of your personal private keys, so you can give them to other people who need ssh access.

The ssh-add command will store a key in your SSH agent until you log out:

ssh-add ~/keyfile.pem

However, you'll need to run this on every reboot, so it's not ideal. You can add this to your ~/.bashrc or ~/.bash_profile to run every time you boot up the terminal, which solves the issue. Make sure to redirect output to /dev/null to silence the command, or you'll see "Identity Added" every time you open the terminal.

ssh-add ~/keyfile.pem >/dev/null 2>&1

Store SSH Keys In macOS Keychain

If you're on macOS, you can store additional SSH keys in the macOS Keychain. Open up ~/.ssh/config and add the following lines:

Host *

UseKeychain yes

You can now add keys with

ssh-add -K ~/keyfile.pem

The keys will be stored in the keychain and persist across reboots. They will be automatically loaded just like ~/id_rsa.

Replace id_rsa With Your New Key

While this option does work, it's not really something we recommend. But, if for some reason you really want your AWS private key to be your new personal private key, you can replace id_rsa with the PEM file from AWS. id_rsa is loaded by default, so you'll default to using this key for everything.

Make absolutely certain you aren't using your current private key for anything (SSH to other servers, GitHub, etc). Even if you think you aren't, you should back up your current SSH keys before proceeding:

mv ~/.ssh/id_rsa ~/.ssh/id_rsa_old
        
            mv ~/.ssh/id_rsa.pub ~/.ssh/id_rsa_old.pub

The AWS PEM file needs to be converted to PKCS8 format to be used as a private key. You can do this with OpenSSL:

openssl pkey < keyfile.pem > keyfile.pkcs8

Then, you'll need to generate the corresponding public key, again using OpenSSL

openssl rsa -in keyfile.pkcs8 -pubout > keyfile.pub

Then, making sure you've backed up your old id_rsa, you can replace them with your new ones:

mv keyfile.pkcs8 ~/.ssh/id_rsa

mv keyfile.pub ~/.ssh/id_rsa.pub