Windows Password won't decrypt on AWS EC2 even with the correct private key
Solution 1:
AWS EC2's key management does not cope with SSH private keys that have passwords set (are encrypted). It doesn't detect this, and simply fails with an uninformative error.
If your private key is stored encrypted on disk (like it should be, IMO) you must decrypt it to paste it into AWS's console.
Rather than doing that, consider decrypting the password locally, so you don't have to send your private key to AWS. Get the encrypted password data (base64 encoded) from the server log after startup, or using get-password-data or the corresponding API requests.
You can then base64 decode and decrypt the result:
base64 -d /tmp/file | openssl rsautl -decrypt -inkey /path/to/aws/private/key.pem
(OpenSSH private keys are accepted by openssl rsautl).
The issue with failing to handle password protected keys with a useful error also affects the ec2-get-password command.
See also:
- EC2 Windows - Get Administrator Password
- decrypt password with OpenSSL
- bug report on AWS forums - please chime in.
Solution 2:
Without the use of jq, this is still possible but requires some additional parsing of the returned data.
aws ec2 get-password-data "--instance-id=${instance_id}" --query 'PasswordData' | sed 's/\"\\r\\n//' | sed 's/\\r\\n\"//' | base64 -D | openssl rsautl -inkey ${my_key} -decrypt
Solution 3:
This is what worked for me in macOS:
openssl rsa -in $HOME/.ssh/aws-remote -out /Users/home/desktop/unencrypted-rsa.txt
It's noting that you can tell if your .pem file is encrypted with a password by looking for the following line. If it's present, you need to decrypt it before using it with Amazon:
Proc-Type: 4,ENCRYPTED
Solution 4:
On my Mac, the command-line arguments for base64 are different.
This worked for me:
base64 -D -i /tmp/file | openssl rsautl -decrypt -inkey /path/to/key.pem