What is an SSH key pair?

An SSH key pair, or key pair for short, is a secure authentication method offered by Alibaba Cloud for remote log-on to your Linux instance. It is an alternative to authentication using a username and password.

The cryptography feature uses thepublic key to encrypt data, and then the local client uses the private key to decrypt the data. Together, the public and private keys are known as a key pair.

The Linux ECS instance stores the public key. You use the private key to connect to your instance by entering SSH commands or using other tools, and you no longer need to remember a username and password to log on. Username and password authentication is disabled by ECS once the SSH key pair is enabled to guarantee security.


Compared with typical username and password authentication, SSH key pair has the following benefits:

High security

Using an SSH key pair to log on to a Linux instance is more secure and reliable.

  • A key pair prevents brute force password-cracking attacks.

  • It is impossible to deduce the private key even if the public key is maliciously acquired.

Ease of use
  • You can remotely log on to the instance by configuring the key pair in the ECS console and on the local client. You do not have to enter the password every time you log on.

  • We recommend this method if you maintain multiple ECS instances.


Using an SSH key pair has the following restrictions:

  • Applies only to Linux instances.
  • Alibaba Cloud only supports the creation of 2048-bit RSA key pairs.
    • Alibaba Cloud holds the public key of the key pair.
    • After the key pair is created, you must download and keep the private key for further use.
    • The private key is in the unencrypted PEM-encoded PKCS#8 format.
  • An Alibaba Cloud account can have a maximum of 500 key pairs in a region.
  • A Linux instance can be only bound to one SSH key pair. If a key pair has already been bound to your instance, the new key pair replaces the old one.
  • During the lifecycle of a Linux instance, you can bind or unbind an SSH key pair at any time. After you bind or unbind a key pair, you must restart the instance for the change to take effect.
  • All instances of any instance type family, except for the I/O optimized instances of Generation I, support SSH key pairs.

Create an SSH key pair

To create an SSH key pair, you can use either of the following methods:

  • Create an SSH key pair in the ECS console.
    Once you create a key pair in the ECS console, you must immediately download and keep the private key for further use. If SSH key pair authentication is enabled for an ECS instance, you cannot log on to the ECS instance without the private key of the key pair.
  • Create an SSH key pair by using other key pair builders and import it to ECS.

    The following key types are supported:

    • rsa
    • dsa
    • ssh-rsa
    • ssh-dss
    • ecdsa
    • ssh-rsa-cert-v00@openssh.com
    • ssh-dss-cert-v00@openssh.com
    • ssh-rsa-cert-v01@openssh.com
    • ssh-dss-cert-v01@openssh.com
    • ecdsa-sha2-nistp256-cert-v01@openssh.com
    • ecdsa-sha2-nistp384-cert-v01@openssh.com
    • ecdsa-sha2-nistp521-cert-v01@openssh.com

If your key pair is generated by Alibaba Cloud, you must download the private key and keep it safe. When a key pair is bound to an ECS instance, you cannot log on to that ECS instance if you do not have the private key.

Related operations