Step 1: Learn about the process Step 2: Create a key pair Step 3: Add a public key to your instance Step 4: Connect to your instance using the new key pair Step 5: Delete an existing public key from your instance

Manage SSH keys stored on a Lightsail instance

You can establish a secure connection to your Amazon Lightsail instances using key pairs. Lightsail configures the public key of a key pair on your Linux or Unix instance when you first create it. You use the private key of the key pair to authenticate to your instance when establishing an SSH connection to it. For more information about keys, see Key pairs and connecting to instances.

After your instance is up and running, you can change the key pair that is used to connect to your instance by adding a new public key on the instance, or by replacing the public key (deleting the existing public key and adding a new one) on the instance. You might do this for the following reasons:

If a user in your organization requires access to the instance using a separate key pair, you can add the public key to your instance.
If you need to secure a new instance that was created from the snapshot of an instance which used a compromised key.
If someone has a copy of the private key and you want to prevent them from connecting to your instance (for example, if they left your organization), you can delete the public key on the instance and replace it with a new one.

To add or replace a key on your instance, you must be able to connect to your instance. If you've lost your existing private key, you can connect to your instance using the Lightsail browser- based SSH client. For more information, see Connecti to your Linux or Unix instance.

Contents

Step 1: Learn about the process
Step 2: Create a key pair
Step 3: Add a public key to your instance
Step 4: Connect to your instance using the new key pair
Step 5: Delete an existing public key from your instance

Step 1: Learn about the process

Following are the general steps to add and remove keys on an instance. If you want to remove a key from your instance without adding a new key, see Step 5: Delete an existing public key from your instance later in this guide.

Create a key pair – To add a new key to your instance you must first create a new key pair. You can create a custom or default key pair using the Lightsail console, or on your local computer using a third-party tool, such as ssh-keygen. Both methods generate a new key pair, which consist of a public key and a private key. For more information, see Step 2: Create a key pair later in this guide.
Add a public key to your instance – After you create a key pair, you connect to your instance using SSH and add the public key of the key pair to your instance. For more information, see Step 3: Add a public key to your instance later in this guide.
Test that you can connect to your instance using the new key pair – After the public key of the key pair is saved on the instance, you should test that you can use the private key of the key pair to connect to the instance using SSH. For more information, see Step 4: Connect to your instance using the new key pair later in this guide.
Remove an old public key from your instance – After you successfully connect to your instance using the new key, you can remove an old public key from the instance. Complete this step to prevent a user from connecting to an instance using an old key pair. For more information, see Step 5: Delete an existing public key from your instance later in this guide.

Step 2: Create a key pair

Complete the following procedure to create a key pair on your local computer using ssh-keygen.

Open Command Prompt or Terminal on your local computer.
Enter the following command to create a key pair.
```
ssh-keygen -t rsa
```
Specify a directory location on your computer where the key pair should be saved.

For example:
- On Windows: C:\Users\<UserName>\.ssh\<KeyPairName>
- On macOS, Linux or Unix: /home/<UserName>/.ssh/<KeyPairName>
Replace <UserName> with the name of the user you are currently signed in as, and replace <KeyPairName> with the name of your new key pair.

In the following example, we specified the C:\Keys directory on our Windows computer, and gave the new key a name of MyNewLightsailCustomKey.

$Directory location C:\Keys$
Enter a passphrase for your key and press Enter. You will not see the passphrase as you enter it.

You will need this passphrase later when configuring the private key on an SSH client to connect to an instance that has the public key configured on it.
Enter the passphrase again to confirm it and press Enter. You will not see the passphrase as you enter it.
A prompt confirms that your private key and public key have been saved to the specified directory.
Open the public key (.PUB) file, and copy the text in the file.

Continue to the next section of this guide to add your new public key to your Lightsail instance.

Step 3: Add a public key to your instance

Complete the following procedure to add the public key to your instance. Public key content is saved in the ~/.ssh/authorized_keys file on Linux and Unix instances.

Sign in to the Lightsail console.
Choose the Instances tab on the Lightsail home page.
Choose the browser-based SSH client icon for the instance that you want to connect to.
After you're connected, enter the following command to edit the authorized_keys file using the text editor of your choice. The following steps use Vim for demonstration purposes.
```
sudo vim ~/.ssh/authorized_keys
```
You should see a result similar to the following example, which shows the current public keys configured on your instance. In our case, the Lightsail default key for the AWS Region in which the instance was created in, is the only public key configured on the instance.
Press the I key to enter insert mode in the Vim editor.
Enter a line break after the last public key on the file.
Paste the public key text that you copied earlier in this guide (after creating a new key pair). You should see a result similar to the following example:
Press the ESC key. Next, type :wq! and press Enter to save your edits and exit the Vim editor.

The new public key is now added to your instance. Continue to the next section of this guide to connect to your instance using the new key pair.

Step 4: Connect to your instance using the new key pair

To test the new key pair, disconnect from your instance, and reconnect to it using the private key that you created earlier in this guide. For more information, see Key pairs and connecting to instances in Amazon Lightsail. After you successfully connect to your instance using the new key, you can remove an old key from the instance. Continue to the next step to learn how to delete public keys from your instance.

Step 5: Delete an existing public key from your instance

Complete the following procedure to remove a public key from your instance. This prevents a user from connecting to an instance using an old key pair. Do this after you successfully connect to the instance using the new key pair.

Connect to your instance using SSH.
Enter the following command to edit the authorized_keys file using the text editor of your choice. The following steps use Vim for demonstration purposes.
```
sudo vim ~/.ssh/authorized_keys
```
Press the letter I key to enter insert mode in the Vim editor.
Delete the line of text that contains the public key that you want to remove from your instance.

The result should look like the following example, where the new public key the only key that displays.
Press the ESC key. Next, type :wq! and press Enter to save your edits and exit the Vim editor.

The deleted public key is now removed from your instance. Your instance will refuse connections that use the private key of that key pair.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Manage SSH keys

Set up PuTTY