Generate New key using ssh-keygen
Dharmendra Chourasiya
If you've lost the .pem key for an EC2 instance, you cannot directly recreate or recover the same PEM key for that instance. However, you do have several workarounds to regain access to the instance. Here are the common ways
1. Create a New Key Pair & Replace the Old One via EC2 User Data
Create a new key pair in AWS (you'll get a new
.pem).Stop the instance (important: stopping will not delete the instance or data).
Detach the root volume of the locked instance.
Attach the volume to a temporary instance where you have access.
Mount the volume and update the
~/.ssh/authorized_keysfile with the public key of your new key pair.Detach and reattach the volume back to the original instance.
Start the original instance and access it using the new
.pemfile.
2. Use EC2 Instance Connect (for Amazon Linux 2 or Ubuntu with EC2 Connect enabled)
If the instance supports EC2 Instance Connect, and it's enabled, you can use it to log in via the AWS Console without a PEM key.
Once in, you can add a new public key to the
~/.ssh/authorized_keysfile of the appropriate user.
3. Use Systems Manager (SSM) Session Manager (if preconfigured)
If the instance has SSM Agent installed, is in a private subnet with SSM access, and is tagged properly:
You can log in via Session Manager in AWS Console.
Once in, add the new public key to
authorized_keys.
Summary Table
| Method | Requirement | Root Volume Detach Needed | Key Pair Change Possible? |
| New Key via Root Volume | Temporary EC2 + Keypair access | Yes | Yes |
| EC2 Instance Connect | Instance type support + IAM permission | No | Yes |
| Systems Manager (SSM) | SSM agent, IAM role, network access | No | Yes |
Best Opetion : EC2 Instance Connect
Why:
Simple login via AWS Console
No PEM needed
When to use:
Your instance supports EC2 Connect (Amazon Linux 2/Ubuntu)
You didn’t disable EC2 Connect access
→ Steps to Generate the Pem key for the SSH connection
→ connect to the console with Ec2 instance Connect option
→ generate the public and private keys using below command
ssh-keygen -t rsa
→ navigate to the location → /home/ubuntu.ssh
cd /home/ubuntu/ .ssh/
→ change private key formate to pem formate
ssh-keygen -p -m PEM -f id_rsa
→ Attach public key to authorized_keys files ->
cp id_rsa.pub authorized_keys
→ copy private key in local file and use that local file as private pem file to connect via ssh
Subscribe to my newsletter
Read articles from Dharmendra Chourasiya directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by