‹ Return to How tos

Managing key pairs in Amazon Lightsail

Last updated: February 24, 2022

You can establish a secure connection to your Amazon Lightsail instances using key pairs. When you first create an Amazon Lightsail instance, you can choose to use a key pair that Lightsail creates for you (the Lightsail default key pair) or a custom key pair that you create. For more information, see Key pairs and connecting to instances in Amazon Lightsail.

On Linux and Unix instances, the private key allows you to establish a secure SSH connection to your instance. On Windows instances, the private key decrypts the default administrator password that you use to establish a secure RDP connection to your instance.

In this guide, we show you how to manage the keys that you can use with your Lightsail instances. You can view your keys, delete existing keys, and create or upload new keys.

Contents

View your default and custom keys

Complete the following procedure to view your default and custom keys from the Lightsail console.

  1. Sign in to the Lightsail console.

  2. On the Lightsail home page, choose Account on the top navigation menu.

  3. Choose Account in the dropdown menu.

    Lightsail account tab
  4. Choose the SSH keys tab.

    The SSH keys page lists:

    • Custom keys – These are keys that you create either using the Lightsail console or a third-party tool such as ssh-keygen. You can have many custom keys in each .

    • Default keys – These are keys that Lightsail creates for you. You can have only one default key in each .

      SSH keys page

Custom and default keys are Regional. For example, keys in the US West (Oregon) can be configured only on instances created in that Region. For more information about keys, see Key pairs and connecting to instances in Amazon Lightsail.

On the SSH keys page, you can create key pairs, upload keys, delete keys, and download the private key of a Lightsail default key pair.

Note

You cannot download the private key of a custom key pair because Lightsail does not store that key for you. If you’ve lost the private key of a custom key pair, then you should create a new one, and configure it on your instance. Then, delete the key which has been lost. For more information, see Create a custom key using the Lightsail console or Create a custom key using ssh-keygen and upload to Lightsail later in this guide.

Download the private key of a default key from the Lightsail console

Complete the following procedure to download the private key of a default key pair from the Lightsail console.

  1. Sign in to the Lightsail console.

  2. On the Lightsail home page, choose Account on the top navigation pane.

  3. Choose Account in the dropdown menu.

    Lightsail account tab
  4. Choose the SSH keys tab.

  5. Under the Default keys section of the page, choose the download icon for the key that you want to download.

    Default keys download icon

    Important

    Store the private key in a secure location. Don't share it publicly because it can be used to connect to your instances.

You can configure an SSH client to connect to your instances using the private key. For more information, see Connecting to your instances.

Delete a custom key in the Lightsail console

Complete the following procedure to delete a custom key in the Lightsail console. This prevents the custom key from being configured on new instances that you create in Lightsail.

  1. Sign in to the Lightsail console.

  2. On the Lightsail home page, choose Account on the top navigation pane.

  3. Choose Account in the dropdown menu.

    Lightsail account tab
  4. Choose the SSH keys tab.

  5. Under the Custom keys section of the page, choose the delete icon for the key that you want to delete.

    Custom keys delete icon

    This doesn't remove the public key of the custom key pair from instances that were previously created and are currently running. To remove a previously configured public key stored on a running instance, see Managing keys stored on an instance in Amazon Lightsail.

Delete a default key and create a new one in the Lightsail console

Complete the following procedure to delete a default key in the Lightsail console. This prevents that default key from being configured on new instances that you create in Lightsail. You can then create a new default key to replace the one that you deleted. You will be able to configure the new default key on new instances that you create in Lightsail.

  1. Sign in to the Lightsail console.

  2. On the Lightsail homepage, choose Account on the top navigation pane.

  3. Choose Account in the dropdown menu.

    Lightsail account tab
  4. Choose the SSH keys tab.

  5. Under the Default keys section of the page, choose the delete icon for the default key that you want to delete.

    Default keys delete icon

    Important

    Deleting a default key doesn't remove the public key of the custom key pair from instances that were previously created and are currently running. For more information, see Managing keys stored on an instance in Amazon Lightsail.

  6. The default key is used to generate the administrator password for Windows instances. Before you delete the default key, you should retrieve and save the administrator password from any Windows instances that use the default key you want to delete.

  7. Choose Continue to delete the default key.

    Before you delete this key prompt
  8. You must download the default key before you can delete it. After you download the default key, you will be able to choose Yes, delete to permanently delete the default key.

    Download default key prompt
  9. The default key has been deleted. Choose Okay.

    Default key deleted prompt

    The following steps are optional and you should only complete them if you want to replace the default key pair you deleted.

  10. Under the Default keys section of the page, choose Create key pair.

  11. In the Select a region prompt that appears, choose the in which you want to create your new default key. You will be able to configure your new default key on new instances in the same .

    Note

    Using these steps, you can create default key pairs only in AWS Regions where you have created Lightsail resources. To create a default key pair in a new Region, you must create a Lightsail resource in that Region. Creating the resource also creates a default key pair.

  12. Download the private key and store it in a safe location.

  13. Choose Ok, got it! to continue.

    Key pair created
  14. Confirm the new default key on the Lightsail console SSH keys page.

    Default keys list

    You can configure your new default key on new instances that you create in Lightsail. To configure your new default key on instances that were previously created and are currently running, see Managing keys stored on an instance in Amazon Lightsail.

Create a custom key using the Lightsail console

Complete the following procedure to create a custom key pair using the Lightsail console. You will be able to configure the new custom key on new instances that you create in Lightsail.

  1. Sign in to the Lightsail console.

  2. On the Lightsail homepage, choose Account on the top navigation pane.

  3. Choose Account in the dropdown menu.

    Lightsail account tab
  4. Choose the SSH keys tab.

  5. Choose Create key pair under the Custom keys section of the page.

    Create custom key
  6. In the Select a region prompt that appears, choose the in which you want to create your new custom key. You will be able to configure your new custom key on new instances in the same .

     list
  7. In the Create a new SSH key pair prompt that appears, give your custom key a name, and choose Generate key pair.

    Create a new SSH key pair
  8. In the Key pair created! prompt that appears, choose Download private key to save the private key to your local computer.

    Important

    Store the private key in a secured location. Don't share it publicly because it can be used to connect to your instances.

    This is the only time you can download the private key of the custom key pair. Lightsail does not store the private key of custom key pairs. After you close this prompt, you will not be able to download it again.

    Download private key prompt
  9. Choose Ok, got it! to close the prompt.

    You can only download private key once prompt
  10. Your new custom key is listed under the Custom keys section of the page.

    Custom keys list

    You can configure your new custom key on new instances that you create in Lightsail. To configure your new custom key on instances that were previously created and are currently running, see Managing keys stored on an instance in Amazon Lightsail.

Create a custom key using ssh-keygen and upload to Lightsail

Complete the following procedure to create a custom key pair on your local computer using a third-party tool, such as ssh-keygen. After you create the key, you can upload it to the Lightsail console. You will be able to configure the new custom key on new instances that you create in Lightsail.

  1. Open Command Prompt or Terminal on your local computer.

  2. Enter the following command to create a key pair.

    ssh-keygen -t rsa
  3. Specify a directory location on your computer where the key pair should be saved.

    For example, you can specify one of the following directories:

    1. On Windows: C:\Users\<UserName>\.ssh\<KeyPairName>

    2. On macOS, Linux or Unix: /home/<UserName>/.ssh/<KeyPairName>

    Replace <UserName> with the name of the user you're currently signed in as, and replace <KeyPairName> with the name of your new key pair.

    In the following example, we specified the C:\Keys directory on our Windows computer, and gave the new key a name of MyNewLightsailCustomKey.

    ssh-keygen
  4. Enter a passphrase for your key and press Enter. You will not see the passphrase as you enter it.

    You will need this passphrase later when configuring the private key of the key pair on an SSH client to connect to an instance that has the public key of the key pair configured on it.

    passphrase
  5. Enter the passphrase again to confirm it and press Enter. You will not see the passphrase as you enter it.

    passphrase
  6. A prompt confirms that your private key and public key have been saved to the specified directory.

    key pair save location

    Next you will upload the public key of the key pair to the Lightsail console.

  7. Sign in to the Lightsail console.

  8. On the Lightsail home page, choose Account on the top navigation pane.

  9. Choose Account in the dropdown menu.

    Lightsail account tab
  10. Choose the SSH keys tab.

  11. Choose Upload key under the Custom keys section of the page.

    Upload custom key
  12. In the Select a region prompt that appears, choose the in which you want to upload your new custom key. You will be able to configure your new custom key on new instances in the same .

     list
  13. Choose Upload.

  14. Click Choose File in the Upload a public key prompt that appears.

    Choose public key file location
  15. Find the public key of the key pair you created earlier in this procedure, on your local computer, and choose Open. The public key of the key pair is the file with a .PUB file extension.

    Select public key
  16. Choose Upload key.

    Choose upload key button
  17. Your new custom key is listed in the Custom keys section of the page.

    Custom keys list

    You can configure your new custom key on new instances that you create in the AWS Region where you uploaded your key. To configure your new custom key on instances that were previously created and are currently running, see Managing keys stored on an instance in Amazon Lightsail.