Changing Key Pair Of Existing EC2 Instance

What Is Key Pair?

key pair is the combination of Public Key and the Private key.

Amazon EC2 Instances uses public key cryptography to encrypt and decrypt the login informations.

When you launch an EC2 instance you will asked to create or use an existing key pair and the Public key will be stored in the EC2 Instance under the user’s home location within ~/.ssh/authorized_keys and the respective private key (.pem file) will be downloaded to the local machine.

By doing like this , You can securely login to the EC2 Instance instead of using the Password. Also We have talked out securing EC2 Instances (Ubuntu) by adding a layer of security by Setting up MFA for SSH on Ubuntu

In this article , We will learn how to create a new key pair , Disable old key pair and login to EC2 instances using the new key pair.

Creating A New Key Pair

To create a new key pair , Login to EC2 CONSOLE ,

Under Network & Security , Choose Key Pairs , You will see the following page.

You can see the existing key pairs , which you have created while launching your EC2 instances.

Click Create key pair

Give a name for the key pair and You can choose the file format.

If you local machine is Linux based , You can choose pem.

if you local machine is Windows , Choose ppk.

And finally click Create key pair , You will asked to download the key pair.

Now We have created a new key pair and downloaded it to local machine.

Generate Public Key From Private Key

We have private key (.pem) in our local machine , We need to create a public key from that private key so that we can add that public key to the EC2 instance and SSH into the EC2 instance using this new pem file.

To generate public key , Execute the below command,

ssh-keygen -y

It will ask for the .pem file , Provide the correct path of the .pem file

When you run this for the first time , It will throw the error like below,

Enter file in which the key is (/home/rahulk/.ssh/id_rsa): newtest.pem
Permissions 0664 for 'newtest.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "newtest.pem": bad permissions

It’s because the permission of the .pem file is not properly set . Let’s set the permission for the .pem file and re-run the command.

Using the below command , Set the permission for .pem file.

chmod 400 newtest.pem

Now if you re-run the “ssh-keygen -y” command , You will get the public key

Enter file in which the key is (/home/rahulk/.ssh/id_rsa): newtest.pem
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMYzfApMhaIjMTDeLd9alfURqiDbPOrinsjg4ATX70du09DRIw2e6nKkF7NKtkghK3JEt/0sSE9BgGKVK9VbnbMjNo7Z7VOCunzMJJEWeWnQOFPCaj2opknt/P/tY/+yT/Uupqe6i8mcp+dc0EBcqUA5RLzv2+IiaTTHyStT+iwhLVwpkGvFtp3zs2HMRQDLWp5yyH0x+6uRLeVp3uXKQa/d6TqkynVPessQomHNWnxEqocQgKFZJTUyCieEYitAgZfgIaPdoilrE0KDTiNo2n46aY6+nYsHa1q82KUD3AlWRZzZtWGfd3pBc4G1wGCg77SFVbeuhPVEMBgs5jkrr3

Adding The Generated Public Key To ~/.Ssh/Authorized_keys

Login to the EC2 instance using the old pem file , Go to users home directory. If it is Ubuntu EC2 instance , Go to /home/ubuntu/

Open .ssh/authorized_keys file and Add the public key which we have generated , Save and close the file.

Login To EC2 Instance Using New Key Pair

We can use the below command to login to the EC2 instance using the new key pair.

ssh -i newtest.pem ubuntu@

In the above example , Make sure you are in the correct path of the .pem file . Change the username and IP Address based on your instance configuration.

You can log in using new key pair.

Once you have verified , Remove the public key of the old key pair from the EC2 instance.


We have learnt how to change the key pair of the existing EC2 Instance.Thanks for reading this article.

Please do check out my other publications.