Windows Password won't decrypt on AWS EC2 even with the correct private key

Question

I created a new Windows instance on AWS EC2, using a keypair I created by uploading my public key from my local machine.

The instance launched fine, but it won't decrypt the password. It reports:

Private key must begin with "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----"

I'm certain I uploaded the correct key. I've verified that the fingerprints match with the weird fingerprint format AWS uses. But it just won't decrypt.

I've tried uploading the key file, and pasting it into the form.

I eventually figured out that it isn't stripping the trailing newline, and deleted the blank line in the key. That just gets me to a new error when I click "Decrypt Password", though:

There was an error decrypting your password. Please ensure that you have entered your private key correctly.

score 28 · Accepted Answer · edited May 23 '17 at 12:41

28

AWS EC2's key management does not cope with SSH private keys that have passwords set (are encrypted). It doesn't detect this, and simply fails with an uninformative error.

If your private key is stored encrypted on disk (like it should be, IMO) you must decrypt it to paste it into AWS's console.

Rather than doing that, consider decrypting the password locally, so you don't have to send your private key to AWS. Get the encrypted password data (base64 encoded) from the server log after startup, or using get-password-data or the corresponding API requests.

You can then base64 decode and decrypt the result:

base64 -d /tmp/file | openssl rsautl -decrypt -inkey /path/to/aws/private/key.pem

(OpenSSH private keys are accepted by openssl rsautl).

The issue with failing to handle password protected keys with a useful error also affects the ec2-get-password command.

See also:

EC2 Windows - Get Administrator Password
decrypt password with OpenSSL
bug report on AWS forums - please chime in.

edited May 23 '17 at 12:41

Community

1

answered Jun 10 '14 at 04:44

Craig Ringer

11,243

1

Thanks. Here is a complete command line that I use, following your suggestions:
aws ec2 get-password-data "--instance-id=${instance_id}" | jq -r .PasswordData | base64 -D | openssl rsautl -decrypt -inkey ${my_key}

(uses aws-cli and jq).
– Ben Butler-Cole Mar 07 '16 at 09:33
base64 complains about -d so -D works for me. im on OS X – Saad Masood Sep 15 '16 at 12:41
3

In OS X, I'd add one more command to that pipe: aws ec2 get-password-data "--instance-id=${instance_id}" | jq -r .PasswordData | base64 -D | openssl rsautl -decrypt -inkey ${my_key} | pbcopy
...which sends the password straight to your clipboard.
– Mark Maglana Dec 22 '16 at 01:59
1

This should be marked as the correct answer IMHO. Since the others answer are a bit insecure compared to this one – webofmars Nov 14 '18 at 16:19
When it says "OpenSSH private keys are accepted" it specifically means those that read BEGIN RSA PRIVATE KEY if it says BEGIN OPENSSH PRIVATE KEY you probably need to convert it to PEM format first. – dragon788 Sep 16 '20 at 16:43

score 5 · Answer 2 · answered May 13 '18 at 17:47

5

This is what worked for me in macOS:

openssl rsa -in $HOME/.ssh/aws-remote -out /Users/home/desktop/unencrypted-rsa.txt

It's noting that you can tell if your .pem file is encrypted with a password by looking for the following line. If it's present, you need to decrypt it before using it with Amazon:

Proc-Type: 4,ENCRYPTED

answered May 13 '18 at 17:47

Django Reinhardt

2,293

For me it was the solution. The AWS UI doesn't detect that the key was passphrase protected and then you need to decrypt it before. This is kind of insecure though. So remove the decrypted file afterwards. – webofmars Nov 14 '18 at 16:17

score 4 · Answer 3 · answered Mar 31 '16 at 19:15

4

Without the use of jq, this is still possible but requires some additional parsing of the returned data.

aws ec2 get-password-data "--instance-id=${instance_id}" --query 'PasswordData' | sed 's/\"\\r\\n//' | sed 's/\\r\\n\"//' | base64 -D | openssl rsautl -inkey ${my_key} -decrypt

answered Mar 31 '16 at 19:15

Ben

41

Worked great, on WSL Ubuntu I had to use base64 -d rather than -D. – Seth Stone Nov 08 '19 at 18:41
You can also try | tr -d '[:space:]' | to get rid of all the whitespace characters leaving you with only the encrypted password data which you can then decrypt. – dragon788 Sep 10 '20 at 17:59

score 3 · Answer 4 · answered Oct 13 '15 at 18:25

3

On my Mac, the command-line arguments for base64 are different.

This worked for me:

base64 -D -i /tmp/file | openssl rsautl -decrypt -inkey /path/to/key.pem

answered Oct 13 '15 at 18:25

Dan

176

score 1 · Answer 5 · edited Jan 26 '21 at 15:32

1

The most straightforward option lays in the get-password AWS documentation link posted above:

aws ec2 get-password-data --instance-id  i-1234567890abcdef0 --priv-launch-key C:\Keys\MyKeyPair.pem

Also, take this into account:

Important

The private key must be in the PEM format. For example, use ssh-keygen -m PEM to generate the OpenSSH key in the PEM format.

edited Jan 26 '21 at 15:32

Andrew Schulman

8,916

answered Jan 26 '21 at 12:59

Felipe Zipitria

11

score -1 · Answer 6 · answered Sep 21 '18 at 08:33

-1

go to ec2 dashboard
delete the existing key
create a new key pair
choose a name
download and keep it in local
launch instance and download your copy of windows instance
name the new keypair with name used in step 4
use this newly generated key to decrypt password

this will work

answered Sep 21 '18 at 08:33

Arun Mohan

101

1

Yes, it'll work. But it also kind of misses the point - I'm explaining the case where you upload a local key. – Craig Ringer Sep 21 '18 at 13:14

Windows Password won't decrypt on AWS EC2 even with the correct private key

6 Answers6

Linked