We know that EC2 Linux instances are accessible through the private keys by default. However, SSH is allowed but you cannot use SSH password authentication to access Linux instance as it is disabled by default. So, what would happen if you lose the private key of your Linux instance? Here are few things that you should know before to proceed to this topic:
- You cannot recover the private key for Linux instance, if you have chosen Root Device Type as Instance Store.
- You can connect and access your Linux instance, in case of private key lost, if you have chosen Root Device Type as EBS Store.
Keeping the above guidelines in the mind, lets begin the whole process “How can we connect EC2 Linux Instance, if we lost the private key?
You need to perform the following steps in order to connect EC2 Linux instance, if the private key is lost:
- Stop the EC2 Linux Instance
- Detach the Root Volume
- Launching a new Temporary Instance
- Attach the Root Volume to New Instance
- Modify the authorized_keys File
- Reattach the Root Volume to the Original Instance
- Start and Connect the Original Instance with New Private Key
Before starting this exercise, we need to note down the following key information:
- Instance ID, AMI ID, and Availability Zone of original Instance
- Name of Root Device volume such as /dev/sda1
- Volume ID of Root Volume
Stopping Original EC2 Linux Instance
- In order to stop an EC2 instance, login to AWS console and select the instance.
- Right-click instance and select Instance State and then select Stop to stop it.
Launching New Temporary Instance
In this task, we need to create a new EC2 instance with exact same settings and in the same availability zone.
- Instance Name: Temporary
- AMI: Same as original instance
- Security Group: Select same Security Group that is attached to the original instance
- Key pair: Create a new key pair named it as new-key-pair.pem and store it in safe location
Note: You may refer this article if you face any issue during creating and launching the instance.
Detaching Root Volume from Original Instance
To detach a root volume, you need to perform the following steps:
- Select the Volumes section in the left pane, type the volume ID of root volume of original instance in the search box.
- Select the Root Volume, click Actions and then select Detach Volume to detach it as shown in the following figure.
- On the Warning message box, click Yes Detach.
Attaching Root Volume to Temporary Instance
We assume that the Root Volume is still selected that you had detached in the previous steps. To attach Root Volume to Temporary instance, you need to perform the following steps:
- Click Actions and then select Attach Volume to attach a volume.
- In the Attach Volume dialog box, type new instance name “Temporary” in the Instance name box. Alternatively, you can also type instance ID if you remember or noted-down it somewhere.
- Note down the new volume name and then click Attach to proceed.
Note: Make sure the new instance and attaching volume both are in the same availability zone.
Mounting Attached Volume
To mount the attached volume, you need to perform the following steps:
- Select and right-click the new instance (Temporary) and open it’s console. We assume that the volume name was /dev/sdf.
- Use the lsblk command to view the partitions.
- Use the following commands to create a mount point named as /tempvol and mount the attached volume under it.
lsblk sudo mkdir /tempvol sudo mount /dev/xvdf1 /tempvol
Note: The volume may appear with different name depending on the Linux variant you use. For this demo, it shows as /dev/xvdf1.
Modifying the authorized_keys File and Updating the New Private Key
Use the following command to update the new key pair and to access the original instance:
cp .ssh/authorized_keys /tempvol/home/ubuntu/.ssh/authorized_keys
If the above command failed to execute, you may need to change the permission of /home/user/.ssh file with write permission.
Note: The user name may vary depend on the instance variant. For example, ubuntu for Ubuntu Linux and ec2-user and Amazon Linux.
Next, unmount the attached volume using the following command as shown in the below figure.
sudo umount /tempvol
Detaching Volume From Temporary Instance and Reattaching With the Original Instance
- Go to the Volumes section, select the root volume (of original instance), click Actions and select Detach Volume to detach volume.
- Once the volume is detached, click again Actions, and select Attach Volume to attach it.
- In the Attach Volume window, type the original instance name or ID, change the volume name as /dev/sda1 and then click Attach as shown in the following figure.
Connect EC2 Linux Instance (Original Instance )With New Private Key
Now, you have done all the neccessory tasks to recover lost key pair. You can connect the original insatnce with newly created private key. For this, start the original instance and connect it with the key pair you created for Temporary instance that is in our case: new-key-pair.pem
You should be able to access and connect EC2 Linux instance as shown in the following figure.
Recommended: Various ways to connect EC2 Linux instance
That’s all you need to do to connect EC2 Linux instance if the private key is lost. Hope, this article has helped and you loved it. Please provide your valuable feedback to improve the article quality.