25

I created a new Windows instance on AWS EC2, using a keypair I created by uploading my public key from my local machine.

The instance launched fine, but it won't decrypt the password. It reports:

Private key must begin with "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----"

I'm certain I uploaded the correct key. I've verified that the fingerprints match with the weird fingerprint format AWS uses. But it just won't decrypt.

I've tried uploading the key file, and pasting it into the form.

I eventually figured out that it isn't stripping the trailing newline, and deleted the blank line in the key. That just gets me to a new error when I click "Decrypt Password", though:

There was an error decrypting your password. Please ensure that you have entered your private key correctly.

Community
  • 1
Craig Ringer
  • 10,553
  • 9
  • 38
  • 59

6 Answers6

27

AWS EC2's key management does not cope with SSH private keys that have passwords set (are encrypted). It doesn't detect this, and simply fails with an uninformative error.

If your private key is stored encrypted on disk (like it should be, IMO) you must decrypt it to paste it into AWS's console.

Rather than doing that, consider decrypting the password locally, so you don't have to send your private key to AWS. Get the encrypted password data (base64 encoded) from the server log after startup, or using get-password-data or the corresponding API requests.

You can then base64 decode and decrypt the result:

base64 -d /tmp/file | openssl rsautl -decrypt -inkey /path/to/aws/private/key.pem

(OpenSSH private keys are accepted by openssl rsautl).

The issue with failing to handle password protected keys with a useful error also affects the ec2-get-password command.

See also:

Community
  • 1
Craig Ringer
  • 10,553
  • 9
  • 38
  • 59
  • 1
    Thanks. Here is a complete command line that I use, following your suggestions: `aws ec2 get-password-data "--instance-id=${instance_id}" | jq -r .PasswordData | base64 -D | openssl rsautl -decrypt -inkey ${my_key}` (uses [aws-cli](https://aws.amazon.com/cli/) and [jq](https://github.com/stedolan/jq)). – Ben Butler-Cole Mar 07 '16 at 09:33
  • base64 complains about `-d` so `-D` works for me. im on OS X – Saad Masood Sep 15 '16 at 12:41
  • 3
    In OS X, I'd add one more command to that pipe: `aws ec2 get-password-data "--instance-id=${instance_id}" | jq -r .PasswordData | base64 -D | openssl rsautl -decrypt -inkey ${my_key} | pbcopy` ...which sends the password straight to your clipboard. – Mark Maglana Dec 22 '16 at 01:59
  • 1
    This should be marked as the correct answer IMHO. Since the others answer are a bit insecure compared to this one – webofmars Nov 14 '18 at 16:19
  • When it says "OpenSSH private keys are accepted" it specifically means those that read `BEGIN RSA PRIVATE KEY` if it says `BEGIN OPENSSH PRIVATE KEY` you probably need to convert it to PEM format first. – dragon788 Sep 16 '20 at 16:43
5

This is what worked for me in macOS:

openssl rsa -in $HOME/.ssh/aws-remote -out /Users/home/desktop/unencrypted-rsa.txt

It's noting that you can tell if your .pem file is encrypted with a password by looking for the following line. If it's present, you need to decrypt it before using it with Amazon:

Proc-Type: 4,ENCRYPTED
Django Reinhardt
  • 2,256
  • 3
  • 38
  • 55
  • For me it was the solution. The AWS UI doesn't detect that the key was passphrase protected and then you need to decrypt it before. This is kind of insecure though. So remove the decrypted file afterwards. – webofmars Nov 14 '18 at 16:17
4

Without the use of jq, this is still possible but requires some additional parsing of the returned data.

aws ec2 get-password-data "--instance-id=${instance_id}" --query 'PasswordData' | sed 's/\"\\r\\n//' | sed 's/\\r\\n\"//' | base64 -D | openssl rsautl -inkey ${my_key} -decrypt
Ben
  • 41
  • 1
  • Worked great, on WSL Ubuntu I had to use `base64 -d` rather than `-D`. – Seth Stone Nov 08 '19 at 18:41
  • You can also try `| tr -d '[:space:]' |` to get rid of all the whitespace characters leaving you with only the encrypted password data which you can then decrypt. – dragon788 Sep 10 '20 at 17:59
2

On my Mac, the command-line arguments for base64 are different.

This worked for me:

base64 -D -i /tmp/file | openssl rsautl -decrypt -inkey /path/to/key.pem
Dan
  • 141
  • 3
1

The most straightforward option lays in the get-password AWS documentation link posted above:

aws ec2 get-password-data --instance-id  i-1234567890abcdef0 --priv-launch-key C:\Keys\MyKeyPair.pem

Also, take this into account:

Important

The private key must be in the PEM format. For example, use ssh-keygen -m PEM to generate the OpenSSH key in the PEM format.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Felipe Zipitria
  • 11
  • 1
-1
  1. go to ec2 dashboard
  2. delete the existing key
  3. create a new key pair
  4. choose a name
  5. download and keep it in local
  6. launch instance and download your copy of windows instance
  7. name the new keypair with name used in step 4
  8. use this newly generated key to decrypt password

this will work

Arun Mohan
  • 101