How to Recover Access to Your EC2 Instance After Losing the Private Key

4 minute read
Content level: Expert
1

Learn how to regain access to your Amazon EC2 instance after losing the private key by following these recovery steps

Introduction:

  • Losing the private key for your EC2 instance can feel like a dead end. But don’t worry there are ways to get back in. In this article, we’ll show you easy steps to recover access to your EC2 instance, even if you don’t have the key. From using built-in AWS tools to making changes to your instance, we’ll cover all the options to help you get back online.

What is pem.key

  • A file with the .pem extension is short for Privacy Enhanced Mail, it is commonly used for storing cryptographic keys and certificates, in AWS it generally refers to a private key file used to securely access (ssh) EC2 instances.

Key Pair Components

Private Key pem file This is a secret file that you keep on your local machine. It's used to authenticate your connection to the EC2 instance. Only you should have access to this file.

Public Key This key is stored on the EC2 instance. It’s used to verify the identity of anyone connecting to the instance with the corresponding private key.

How Does It Work

Key Pair Creation

  • When you create an EC2 instance, you either generate a new key pair. AWS provides you with the private key file ( .pem ), while AWS installs public key on instance.

Connecting to the Instance

  • When you want to connect to your EC2 instance, you use an SSH client along with your and .pem file. The SSH client uses the private key to prove our identity to server.

Authentication Process

  • The SSH client sends a connection request to the EC2 instance, using private key.

  • The EC2 instance uses the public key (stored on the instance) to verify the request. If it matches, access is granted.

Secure Communication

  • Once authenticated, a secure channel is established between your SSH client and the EC2 instance, allowing encrypted communication.

Step-by-Step Process for Recovering a .pem File

  • If the .pem file is lost, you can’t get it back from AWS because AWS doesn’t keep a copy due to security reasons. But still, you can access your EC2 instance using the following steps

Stop the EC2 Instance

  • Stopping the instance is necessary in certain recovery processes to safely modify the instance's configuration or data.

  • Make sure to wait until the instance status changes to "stopped" before proceeding to the next steps.

Detach the Root EBS Volume

  • You need to detach the volume from the instance so that you can change the configuration.

  • By detaching the volume, you can now attach it to another instance for further modifications, such as updating the authorized_keys file to regain access to your original instance.

Attach the EBS Volume to Another Instance

  • Now launch another EC2 instance in the same availability zone by creating new .pem file. By using this instance we can access the file system of stopped instance.

  • Now again navigate to EBS dashboard, now select detached volume, click Actions, and choose attach volume.

  • We have selected the newly created instance and device name as /dev/sdk.

Access the File System

  • SSH into the second EC2 instance using its .pem file.Once logged in, mount the attached EBS volume.

First check for the volume using the command

lsblk -f

  • In our case attached volume name is xvdh.

  • Create directory and mount the volume to that directory.

  • Navigate to the directory containing the SSH authorized keys file.

Modify the Authorized Keys

  • We need to change the public key inside .ssh/authorized_keys file with our newly created instance public key.

  • First get the public key of the newly created instance below command. Copy it.

  • Paste the copied key in the /recovery/home/ubuntu/.ssh/authorized_keys

Reattach the EBS Volume to the Original Instance:

  • Unmount the EBS volume from the second instance.

  • Detach the EBS volume from second instance.

  • Now reattach volume to original instance.

Start the EC2 Instance:

  • Go back to the EC2 Dashboard and select your original instance.

  • Right-click on it, go to Instance State, and click Start.

Access the Instance with the New .pem File:

  • Now, you can SSH into the original instance using your new .pem file.

ssh -i /path/to/new-key.pem ec2-user@your-instance-ip

Conclusion

  • Regaining access to your EC2 instance after losing the PEM file involves stopping the instance, detaching and mounting its EBS volume, and then repairing and accessing the data. By following these steps, you can recover your data and restore access to your EC2 instance.
EXPERT
published a month ago228 views
2 Comments

Probably should state these instructions are for an ubuntu instance only. What about Windows, Red Hat or other instances that also use a pem file?

profile pictureAWS
replied a month ago

there is one more method that is very easy just go to the console and select the ec2 then click on connect after that select connect ec2 instance connect in username select root and then click connect now you will be able to connect via web with your ec2 and you can create a new user and can extract its pem and can assign sudo access I used this method its work for me but you need additional access for this amazon shell access or full admin access it will work

profile picture
replied a month ago