3 Approaches for Recovering a Linux Instance Key Pair

Overview

Key-Pairs are safe login credentials for your virtual machines. You can utilize Key-Pairs, which come with a Public Key and a Private Key, to connect to the instances. The Key-Pairs are password-protected login credentials for the Virtual Machines used to verify our identity while connecting the Amazon EC2 instances.

A key pair is created when we launch any EC2 instance in AWS and is used to SSH into the instance. If we lose the Key pair, we cannot SSH into that instance.

In this blog, we’ll go over three approaches. Any Linux instance can be recovered if the key pair is lost using the methods listed below.

Customized Cloud Solutions to Drive your Business Success

Cloud Migration
Devops
AIML & IoT

Know More

Method 1 - EC2 Instance Connect

When you use EC2 Instance Connect to an instance, the Instance Connect API publishes a single-use SSH public key to the instance’s metadata, which stays for 60 seconds.

Security is increased because, after 60 seconds, we cannot locate the key on the server. When connecting to your instances using Secure Shell, Amazon EC2 Instance Connect provides a quick and safe option (SSH).

The Following Steps are required to connect to the instance by EC2 Instance Connect:

Step 1 – Go to the EC2 service in AWS Console, select the instance, and click on connect.

Step 2 – Select the EC2 Instance Connect Tab and click on Connect.

m1step2

Step 3 – A new tab will open, and when it does, we will see a command prompt showing that we have successfully logged into the instance.

m1step3

Method 2 - Volume Exchange

The root volume of each instance contains the authorized key. This key is used to authorize SSH connections to instances when we attempt to do so. It is kept in “/home/ec2-user/.ssh/authorized keys” in the Linux AMI.

We must swap out the previously authorized key for the new authorized key to recover the instance. So that we can use a new Key Pair to SSH into the instance.

Step 1 – Stop the instance whose key pair was lost, then detach the associated volume.

m2step1

Step 2 – Launch a new instance in the same region and create a new key pair for this instance.

Step 3 – Attach the Old volume to the newly launched instance.

m2step3

m2step3b

Step 4 – SSH into the newly launched instance.

Step 5 – Run the following command to mount the old volume into this new instance.

sudo mount -o rw,nouuid /dev/xvdf1 /mnt

1	sudo mount -o rw,nouuid /dev/xvdf1 /mnt

Step 6 – To copy this new instance’s authorized key to the old instance’s volume, run the following command.

cat /home/ec2-user/.ssh/authorized_keys >> /mnt/home/ec2-user/.ssh/authorized_keys

1	cat /home/ec2-user/.ssh/authorized_keys >> /mnt/home/ec2-user/.ssh/authorized_keys

Step 7 – Use the following command to unmount the previous volume for this instance.

umount /mnt

1	umount /mnt

Step 8 – After that, detach the old volume from the new instance and reattach this volume to the previous one (old instance), giving the device the name “/dev/xvda”.

m2step8

Step 9 – Start the old instance. Once the old instance runs, we may SSH into it using the newly created key pair for the new instance.

Method 3 - Create AMI and launch another Instance

An instance launch requires the information contained in an Amazon Machine Image (AMI), a supported and maintained image offered by AWS. When launching an instance, you must provide an AMI. When several instances with the same configuration are needed, you can launch them all from a single AMI. When launching instances, you can choose from various AMIs depending on the configuration of the instances you need.

The following steps are required to build an AMI of an already-launched instance and launch a new instance using that AMI:

Step 1 – Stop the instance, choose it, and select Actions -> Image and Templates -> Create Image

m3step1

Step 2 – Enter the Image name and click on Create Image.

m3step2

Step 3 – Go to the AMI section, choose the currently created AMI image, and click “Launch Instance from AMI.”

m3step3

Step 4 – Launch the Instance with the required configuration and create a new key pair for this instance.

Step 5 – The root volume’s configuration and contents are copied to this newly launched instance. Consequently, we may terminate the old instance and use this one with the new key pair.

Conclusion

This blog covered three simple ways to restore the Linux instance if the Key Pair is lost. There are numerous additional methods for connecting to an instance without Key Pair (PEM file), including turning on password authentication in the instance so that users can log in using their password and SSM session manager.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

Cloud Training
Customized Training
Experiential Learning

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

FAQs

1. If I lose the Key Pair, can I download it via the AWS Console?

ANS: – No, it is available for download from the AWS console at the moment of creation.

2. How many Key pairs can we create in any region?

ANS: – We can create a maximum of 5000 Key Pairs per region.

WRITTEN BY Rohit Lovanshi

Rohit Lovanshi works as a Research Associate (Infra, Migration, and Security Team) at CloudThat. He is AWS Developer Associate certified. He has a positive attitude and works effectively in a team. He loves learning about new technology and trying out different approaches to problem-solving.