What is an SSH key pair?
An SSH key pair, or key pair for short, is a secure authentication method provided by Alibaba Cloud for remote log-on to your Linux instance. It is an alternative to authentication using a user name and password.
The key pair is composed of a public key and a private key. The asymmetric cryptography feature uses thepublic key to encrypt data, and the local client uses the private key to decrypt the data.
The Linux ECS instance stores the public key. You use the private key to connect to your instance by entering SSH commands or using other tools. User name and password authentication is disabled by ECS once the SSH key pair is enabled to guarantee security.
Compared with typical user name and password authentication, SSH key pair has the following benefits:
Using an SSH key pair to log on to a Linux instance is more secure and reliable.
A key pair prevents brute force attacks targeted at password cracking.
Due to the complexity of RSA encryption, the private key cannot be deduced even if the public key is maliciously acquired.
You can log on remotely to an instance by configuring the key pair in the ECS console and on the local client, meaning you do not need to enter a password every time you log on.
We recommend this method if you maintain multiple ECS instances.
Using an SSH key pair has the following restrictions:
- Applies only to Linux instances.
- Alibaba Cloud only supports the creation of 2048-bit RSA key pairs.
- Alibaba Cloud holds the public key of the key pair.
- After the key pair is created, you must download and securely store the private key.
- The private key is in the unencrypted PEM-encoded
- Each Alibaba Cloud account can have a maximum of 500 key pairs per region.
- Only one SSH key pair can be added to a Linux instance at a time. If a key pair has already been added to your instance, the new key pair replaces the old one.
- During the lifecycle of a Linux instance, you can add or remove an SSH key pair at any time. After you a add or remove a key pair, you must restart the instance for the change to take effect.
- All instances of any instance type family, except for the I/O optimized instances of Generation I, support SSH key pairs.
Create an SSH key pair
To create an SSH key pair, you can use either of the following methods:
- Create an SSH key pair in the ECS console.
Note Once you create a key pair in the ECS console, you must immediately download and securely store the private key for later use. If SSH key pair authentication is enabled for an ECS instance, you cannot log on to the ECS instance without the private key of the key pair.
- Create an SSH key pair by using other key pair builders and import it to ECS.
The following key types are supported:
- If you do not have an SSH key pair, you can create an SSH key pair.
- If you have created an SSH key pair by using another tool, you can import an SSH key pair.
- If you do not need a key pair, you can delete an SSH key pair.
- If you want to enable or disable SSH key pair authentication for logging on to a Linux ECS instance, you can add or remove an SSH key pair.
- You can allocate an SSH key pair when creating an ECS instance.
- You can log on to an instance by using an SSH key pair.