Home / server / Questions / 603984
Accepted
Craig Ringer
Asked: 2014-06-10 20:44:36 +0800 CST

Windows Password won't decrypt on AWS EC2 even with the correct private key

  • 772

I created a new Windows instance on AWS EC2, using a keypair I created by uploading my public key from my local machine.

The instance launched fine, but it won't decrypt the password. It reports:

Private key must begin with "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----"

I'm certain I uploaded the correct key. I've verified that the fingerprints match with the weird fingerprint format AWS uses. But it just won't decrypt.

I've tried uploading the key file, and pasting it into the form.

I eventually figured out that it isn't stripping the trailing newline, and deleted the blank line in the key. That just gets me to a new error when I click "Decrypt Password", though:

There was an error decrypting your password. Please ensure that you have entered your private key correctly.

windows

6 Answers

  1. Best Answer

    AWS EC2's key management does not cope with SSH private keys that have passwords set (are encrypted). It doesn't detect this, and simply fails with an uninformative error.

    If your private key is stored encrypted on disk (like it should be, IMO) you must decrypt it to paste it into AWS's console.

    Rather than doing that, consider decrypting the password locally, so you don't have to send your private key to AWS. Get the encrypted password data (base64 encoded) from the server log after startup, or using get-password-data or the corresponding API requests.

    You can then base64 decode and decrypt the result:

    base64 -d /tmp/file | openssl rsautl -decrypt -inkey /path/to/aws/private/key.pem

    (OpenSSH private keys are accepted by openssl rsautl).

    The issue with failing to handle password protected keys with a useful error also affects the ec2-get-password command.

    See also:

    • 27

  2. This is what worked for me in macOS:

    openssl rsa -in $HOME/.ssh/aws-remote -out /Users/home/desktop/unencrypted-rsa.txt

    It's noting that you can tell if your .pem file is encrypted with a password by looking for the following line. If it's present, you need to decrypt it before using it with Amazon:

    Proc-Type: 4,ENCRYPTED
    • 5

  3. Without the use of jq, this is still possible but requires some additional parsing of the returned data.

    aws ec2 get-password-data "--instance-id=${instance_id}" --query 'PasswordData' | sed 's/\"\\r\\n//' | sed 's/\\r\\n\"//' | base64 -D | openssl rsautl -inkey ${my_key} -decrypt
    • 4

  4. On my Mac, the command-line arguments for base64 are different.

    This worked for me:

    base64 -D -i /tmp/file | openssl rsautl -decrypt -inkey /path/to/key.pem
    • 2

  5. The most straightforward option lays in the get-password AWS documentation link posted above:

    aws ec2 get-password-data --instance-id  i-1234567890abcdef0 --priv-launch-key C:\Keys\MyKeyPair.pem

    Also, take this into account:

    Important

    The private key must be in the PEM format. For example, use ssh-keygen -m PEM to generate the OpenSSH key in the PEM format.

    • 1
    1. go to ec2 dashboard
    2. delete the existing key
    3. create a new key pair
    4. choose a name
    5. download and keep it in local
    6. launch instance and download your copy of windows instance
    7. name the new keypair with name used in step 4
    8. use this newly generated key to decrypt password

    this will work

    • -1