How to Convert SSH id_rsa Private Key to PEM Format for AWS EC2 Windows Instance Password Decryption


2 views

When working with AWS EC2 Windows instances, you'll encounter a specific requirement: the need to decrypt the administrator password using a .pem file. This differs from Linux instances where you typically use SSH key pairs directly. The confusion arises when you've already generated standard OpenSSH keys (id_rsa and id_rsa.pub) but need the private key in PEM format.

The id_rsa file is typically in OpenSSH's proprietary format, while AWS expects the private key in PEM (Privacy Enhanced Mail) format. Both contain the same RSA private key information but use different encoding and headers:

# Typical id_rsa format
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

# Required PEM format
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Here are three reliable ways to perform the conversion:

Method 1: Using OpenSSL (Recommended)

openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem

If your key is passphrase-protected, add the -passin pass:yourpassphrase parameter or you'll be prompted for it interactively.

Method 2: Using ssh-keygen

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

This command converts the key in-place to PEM format while preserving the original file.

Method 3: Manual Conversion (For Understanding)

While not recommended for production, you can manually edit the file:

  1. Copy the base64 content between the headers
  2. Wrap it with PEM headers
  3. Ensure proper line endings (Unix LF format)

When using the converted PEM file with AWS:

  • The file must have 400 permissions (chmod 400 id_rsa.pem)
  • EC2 only accepts RSA private keys (not ED25519 or ECDSA)
  • For Windows instances, you'll use this to decrypt the password via: 
    aws ec2 get-password-data --instance-id i-1234567890abcdef0 --priv-launch-key id_rsa.pem

Error: "Key is not a valid PEM key"
This usually means either:
- The conversion wasn't done properly
- The file contains invalid characters
- Line endings are corrupted (common when transferring between Windows/Unix)

Solution: Re-convert using method 1 or 2 and transfer the file in binary mode if using FTP/SCP.

Error: "Unsupported key type"
AWS EC2 password decryption only supports RSA keys. If you generated an ED25519 key, you'll need to create a new RSA key pair.

  • Store the converted PEM file securely (it contains your private key)
  • Consider using AWS Session Manager instead of password decryption when possible
  • For automation, store the PEM file in AWS Secrets Manager with appropriate access controls

When working with AWS EC2 instances, particularly Windows instances, you'll encounter a requirement to decrypt the administrator password using a .pem file. The confusion arises when you've already generated standard SSH keys (id_rsa and id_rsa.pub) through ssh-keygen.

Your existing id_rsa file is actually already in PEM format, just without the .pem extension. The private key generated by ssh-keygen uses PKCS#1 format, which is a variant of PEM. The main difference is just the file extension and sometimes the header/footer.


-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAz4v9f7x8VX9Q6w8VDgJ8Z0Z5Y5X9z7QyNt0nHj3wKjy7qLW
... [key content truncated] ...
-----END RSA PRIVATE KEY-----

Here are three approaches to handle this:

Method 1: Direct Renaming (Most Common Solution)

Simply rename your private key file:

cp ~/.ssh/id_rsa ~/.ssh/mykey.pem

Method 2: Using OpenSSL for Strict PEM Format

If AWS specifically requires strict PEM formatting:

openssl rsa -in ~/.ssh/id_rsa -outform pem -out ~/.ssh/mykey.pem

Method 3: Full Conversion Process

For complete control over the conversion:


# Convert private key to PEM format
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

# Verify the format
file ~/.ssh/id_rsa

When working with .pem files:

  • Always set proper permissions: chmod 400 ~/.ssh/mykey.pem
  • Never share your private key
  • Consider using AWS Systems Manager Parameter Store for more secure key management

If you encounter "invalid key format" errors:


# Check key format
openssl rsa -in ~/.ssh/id_rsa -check -noout

# Convert from newer OpenSSH format if needed
ssh-keygen -p -f ~/.ssh/id_rsa -m pem

Instead of converting existing keys, consider:


# Generate AWS-compatible key directly
ssh-keygen -t rsa -b 4096 -m PEM -f ~/.ssh/aws_key.pem

This creates a properly formatted PEM file from the start.