Security optimize

Connect to Amazon EC2 with a private key using PuTTY and Pageant

Nick Hardiman shows you how to set up a secure connection to an Amazon EC2 machine using PuTTY and Pageant to handle your private key.

Last time, I created a virtual machine using the AWS console. Amazon people call this "launching an instance". The only way of talking to my new EC2 machine is by following the SSH (Secure SHell) protocol.

My new machine is running an SSH service. I must use an SSH client to connect to it. There is no other way in. It is not running any web interface or fancy GUI, and it won't talk any older protocol like telnet, ftp or - God forbid - rlogin.

I need an SSH client that will run on my Microsoft OS. Most people in the world typing away at computers are running a Microsoft OS - probably Windows 7 or XP. I use it at work. If Linux dominated the world, I could use OpenSSH but business desktop reality still has Microsoft at its heart.

Simon Tatham's PuTTY is my favourite Windows SSH client. AWS people use PuTTY. It is free, it does everything I need, and it is stable. In the past, I used a few other open source clients with Windows, like OpenSSH and TeraTerm, and some closed source ones, such as MindTerm, SecureCRT, and Tectia SSH. Is it my imagination, or is mixing caps important when naming an SSH application?

Install PuTTY

This installs the SSH client and a collection of related goodies.

I follow this procedure about once a year. That's the frequency I trash an OS and have to re-install everything.

  1. Open a web browser.
  2. Go to the URL PuTTY's download page appears. The page contains a list of binary and source code files. Each file has some additional nerdy links you don't usually see on a download page: an option to download using FTP instead of HTTP, and two digital signature files. If I was keen, I could use these signatures to make sure no evil hacker has replaced the Windows installer with the "U-Hack Identity Theft" application. I have never been that keen.
  3. Download the version you want. The one I am interested in is the Windows installer "putty-0.61-installer.exe".
  4. Install.

The PuTTY application is now ready to roll. Before I can use it to talk to my EC2 machine, I must convert my private key to a PuTTY-friendly format and load the key into the SSH authentication agent.

Copy from the PEM file to a PPK file using PuTTYgen.

When I created my first EC2 machine the AWS console gave me a private key to save. The private key I downloaded is in a format called PEM (Privacy-Enhanced Mail - that "mail" word gives you a clue about why the PEM format was invented).

PuTTY can't use PEM files. It only understands its own PPK format. I can translate the PEM file to a PuTTY-format PPK file using PuTTYgen.

  1. Open PuTTYgen. Either click on Start | All Programs | PuTTY | PuTTYgen or type c:\program files\putty\puttygen.exe. The PuTTY Key Generator window appears. It has three panes: Key, Actions and Parameters.
  2. Find the private key PEM file. Click Conversions | Import key. A "Load private key" file browser opens.
  3. Open the PEM file. The Key pane changes from the words "No key" to a lot of attributes and values: public key, private key fingerprint, comment, and passphrase.
  4. Change the comment from "imported-openssh-key" to the name of your AWS keypair. I chose "aws-privkey-for-planetlarg".
  5. Pick a passphrase. A passphrase is like a password, but you are not limited to just one word. "D!ff1cul7 t0 Rem3mber." is a passphrase.
  6. Enter the passphrase twice, to test your typing skills.
  7. Create the PPK file. Click the "Save private key" button. PuTTYgen encrypts your private key, using your passphrase to scramble it, then writes the new binary file to disk.

Load the PPK file into Pageant, the SSH authentication agent

The PuTTY application comes with an SSH authentication agent called Pageant. The only purpose of Pageant is to keep all my private keys ready for PuTTY to use. PuTTY needs my AWS private key when it connects to my EC2 machine.

Pageant is a time saver: I can log into my machine many times during the day without typing my passphrase. I repeat this procedure every time I boot my computer, at the start of my working day.

  1. Open Pageant. Either click on Start | All Programs | PuTTY | Pageant or type c:\program files\putty\pageant.exe. An icon of a PC with a hat on appears in the systray. Nothing else happens.
  2. Open Pageant's context menu. Right click on the icon. A few session and key options appear.
  3. Find your new private key file. Click "Add Key". A file browser opens.
  4. Open your PPK file. An "Enter Passphrase" dialog box appears.
  5. Enter your passphrase. If you chose something really obscure, you may now be regretting your decision.
  6. Click OK. The dialog box disappears.
  7. Check your work. Double click on the systray icon and the "Pageant Key List" window appears. There is one line in the list box that looks something like this:

    ssh-rsa   2048   12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef   aws-privkey-for-planetlarg

    Those four fields are type of key, size in bits, fingerprint, and comment.
  8. Close the window. Pageant is still running, waiting to help PuTTY behind the scenes.


Nick Hardiman builds and maintains the infrastructure required to run Internet services. Nick deals with the lower layers of the Internet - the machines, networks, operating systems, and applications. Nick's job stops there, and he hands over to the ...


PuTTY was forked and improved to make another app called KiTTY. (A Google search will find it & explain all the improvements.) You can copy 'kitty.exe' in place of 'putty.exe' and Pageant will be able to use it as though it were PuTTY. What's also powerful is go the next step and use KiTTY + Pageant + CygWin (and some Windows configuring in Task Scheduler) to also launch an SSH daemon on your Windows machine when it starts up. What does that do? Something that's taken for granted by Linux users: It allows you to SSH *into* your Windows machine (from another Windows machine, a Mac, a Linux box, etc.) to get a command prompt. Bonus: It also allows you to quick-launch WinSCP to open a browser for transferring files between your machine and the remote Windows box after you connect. And by using PPK keys, you can do all this without having to type in passwords each time. (Pageant acts as a key agent to automatically authenticate you each time you connect from a known safe account.)