How to Download Existing EC2 Key Pair Without Terminating the Instance


2 views

When working with AWS EC2 instances, losing access to your key pair can be frustrating. Unlike some cloud providers, AWS doesn't store your private key once the key pair is created. This design is intentional for security reasons but creates challenges when you need to access an instance from a new machine.

Here's what happens behind the scenes when you create a key pair in AWS:

1. You request a new key pair through AWS console/CLI
2. AWS generates a 2048-bit RSA key pair
3. The public key is stored in AWS metadata
4. The private key is ONLY available for download at creation time
5. AWS never stores the private key on their servers

While you can't directly download the original private key, here are practical approaches:

Option 1: Create New Key Pair and Replace

This method requires instance access but preserves your instance:

# Step 1: Create new key pair
aws ec2 create-key-pair --key-name MyNewKey --query 'KeyMaterial' --output text > MyNewKey.pem

# Step 2: Copy public key to instance
scp -i existing_key.pem MyNewKey.pub ec2-user@your-instance:/tmp/

# Step 3: SSH into instance and add new key
ssh -i existing_key.pem ec2-user@your-instance
cat /tmp/MyNewKey.pub >> ~/.ssh/authorized_keys

Option 2: Use EC2 Instance Connect

AWS provides this service for temporary SSH access:

# Using AWS CLI
aws ec2-instance-connect send-ssh-public-key \
  --instance-id i-1234567890abcdef0 \
  --availability-zone us-east-1a \
  --instance-os-user ec2-user \
  --ssh-public-key file://MyKey.pub

Option 3: Through Systems Manager (SSM)

If your instance has SSM agent installed:

# Start session
aws ssm start-session --target i-1234567890abcdef0

# Once connected, you can:
1. Create new key pair
2. Add it to authorized_keys
3. Set file permissions (chmod 600)
  • Always rotate keys when compromised
  • Never share private keys across environments
  • Use key pairs only for initial access, then implement IAM roles
  • Consider SSH certificate-based authentication for better management

When working with AWS EC2 instances, we've all faced this situation: you successfully configured SSH access from your primary machine, but need to connect from another workstation and realize the .pem key file isn't available. The common misconception is that AWS doesn't allow key pair downloads after initial creation - but there are workarounds.

AWS explicitly states: "You can't download a key pair again after it's created." This security measure prevents unauthorized access. However, we can extract the public key from a running instance and reconstruct access.

Connect to your instance (using your existing key) and run:

cat ~/.ssh/authorized_keys

This displays the public key. Copy it to a file (e.g., recovered_key.pub) on your new machine.

On your local machine:

ssh-keygen -f recovered_key -y > recovered_key.pub

Then create a private key file manually. While you can't recover the original private key, you can:

  1. Generate a new key pair
  2. Replace the public key in EC2
  3. Use the new private key

For frequent needs, create a script:

#!/bin/bash
INSTANCE_ID="i-1234567890abcdef0"
KEY_NAME="recovered_key"

# Get public key from instance
aws ec2 get-console-output --instance-id $INSTANCE_ID | 
  grep 'ssh-rsa' > ${KEY_NAME}.pub

# Generate matching private key (requires manual steps)
echo "Manual steps required for private key generation"

AWS Systems Manager Session Manager provides SSH access without key management:

aws ssm start-session --target $INSTANCE_ID

This requires IAM permissions but eliminates key pair issues.

Always:

  • Store keys in AWS Secrets Manager
  • Use EC2 Instance Connect for temporary access
  • Implement key rotation policies