If you’re like most people, you probably use SSH to log into your servers. But what if you want to use SSH keys instead? SSH keys are great because they allow you to securely log in to your server without having to remember a password. To create a key, you first need to generate a public/private key pair. You can do this by running the following command on your server: ssh-keygen -t rsa -b 4096 The -t option tells ssh-keygen what type of key it should create: rsa for RSA keys, and dsa for DSA keys. The -b option tells ssh-keygen the size of the key’s private key (in bytes). The default is 2048 bytes. The next step is to save the generated keypair somewhere safe. You can save it on your computer’s hard drive, or you can store it in a file on Amazon S3 (assuming that you have an AWS account). Once you’ve saved the keypair, you need to add it to your SSH client. To do this, open up a terminal window and type the following command: ssh-add ~/.ssh/id_rsa ..


When you create a new instance in EC2, you’ll be given a PEM file that acts as your access key. You’ll have to use this to SSH into the server, so you’ll want to add it to your keychain for easy access.

How To Use Your PEM File

You can use PEM files manually by adding the -i flag to ssh:

This is unwieldy to type every time, so there are a few ways to fix this.

The simplest method would be to add your own public keys to your EC2 instance, and ignore the PEM file for all future logins. Your public key is usually stored in ~/.ssh/id_rsa.pub, so you’ll want to copy that into the ~/.ssh/authorized_keys file on the server. If you’re a one man team simply running one server, and don’t mind doing this each time, this is all you have to do.

However, you’ll have to go through this process each time you create a new instance. But with PEM files, you can reuse them between instances. Also, they’re independent of your personal private keys, so you can give them to other people who need ssh access.

The ssh-add command will store a key in your SSH agent until you log out:

However, you’ll need to run this on every reboot, so it’s not ideal. You can add this to your ~/.bashrc or ~/.bash_profile to run every time you boot up the terminal, which solves the issue. Make sure to redirect output to /dev/null to silence the command, or you’ll see “Identity Added” every time you open the terminal.

RELATED: What is SSH Agent Forwarding and How Do You Use It?

Store SSH Keys In macOS Keychain

If you’re on macOS, you can store additional SSH keys in the macOS Keychain. Open up ~/.ssh/config and add the following lines:

You can now add keys with

The keys will be stored in the keychain and persist across reboots. They will be automatically loaded just like ~/id_rsa.

Replace id_rsa With Your New Key

While this option does work, it’s not really something we recommend. But, if for some reason you really want your AWS private key to be your new personal private key, you can replace id_rsa with the PEM file from AWS. id_rsa is loaded by default, so you’ll default to using this key for everything.

Make absolutely certain you aren’t using your current private key for anything (SSH to other servers, GitHub, etc). Even if you think you aren’t, you should back up your current SSH keys before proceeding:

The AWS PEM file needs to be converted to PKCS8 format to be used as a private key. You can do this with OpenSSL:

Then, you’ll need to generate the corresponding public key, again using OpenSSL

Then, making sure you’ve backed up your old id_rsa, you can replace them with your new ones: