Updated on 2026-07-06 GMT+08:00

Creating a Key Pair

Scenarios

For security purposes, it is recommended that you use the key pair to log in to FlexusX instances. You can create a key pair and use it for authentication when logging in to a FlexusX instance.

If you already have a key pair, there is no need to create one.

Methods of Creating a Key Pair

Table 1 describes the methods of creating a key pair.

Table 1 Methods of creating a key pair

Method

Difference

(Recommended) Creating a Key Pair on the Management Console

NOTE:
  • Account key pair
    • Only users with the Tenant Administrator system role can create an account key pair upon first creation.
    • An account key pair can be used by multiple IAM users in the account.
  • Private key pair: A private key pair created by an IAM user on the management console can only be used by that user. If multiple IAM users need to use the same key pair, upgrade it to an account key pair. For details, see Upgrading a Private Key Pair to an Account Key Pair.
  • Public keys are stored in Huawei Cloud, while private keys can either be downloaded and stored locally by the user or managed in Huawei Cloud. Huawei Cloud uses encryption keys provided by KMS to encrypt private keys, securing their storage and access.
  • Key pairs created on the console support the following cryptographic algorithms:
    • SSH-ED25519
    • ECDSA-SHA2-NISTP256
    • ECDSA-SHA2-NISTP384
    • ECDSA-SHA2-NISTP521
    • SSH_RSA: The length can be 2,048, 3,072, or 4,096 bits.

Creating a Key Pair Using PuTTY Key Generator

Both public and private keys are stored locally.

Importing a Key Pair

NOTE:

If multiple IAM users need to use the same key pair, use another tool (such as PuTTYgen) to create a key pair and import it for each of the IAM users separately.

  • Imported SSH key pairs support the following cryptographic algorithms:
    • SSH-DSS (not recommended)
    • SSH-ED25519
    • ECDSA-SHA2-NISTP256
    • ECDSA-SHA2-NISTP384
    • ECDSA-SHA2-NISTP521
    • SSH_RSA: The length can be 2,048, 3,072, or 4,096 bits.
  • Imported private keys support PKCS8. Convert the format if PKCS1 is used.

Creating a Key Pair

KPS supports three methods for creating a key pair. You can choose one as needed.

  1. Log in to the DEW console.Log in to the DEW console.
  2. In the navigation pane on the left, choose Key Pair Service. The Key Pair Service page is displayed.

    Key pairs consist of account key pairs and private key pairs. By default, the Account Key Pairs tab is displayed. You can create key pairs of a specific category as needed.

    Table 2 Key pair categories

    Key Pair Category

    Description

    Account key pair

    • An account key pair can be used by multiple IAM users in the account.
    • Only users with the Tenant Administrator system role can create an account key pair upon first creation.

    Private key pair

    • A private key pair created by an IAM user on the management console can only be used by that user.
    • If multiple IAM users need to use the same key pair, upgrade it to an account key pair. For details, see Upgrading a Private Key Pair to an Account Key Pair.
  3. Click Create Key Pair.
  4. Configure required parameters.
    Table 3 Parameters for creating a key pair

    Parameter

    Description

    Key Pair Name

    The name of the key pair. Only letters, digits, underscores (_), and hyphens (-) are allowed.

    Type

    Signature algorithm of the SSH key pair. RSA, ECDSA, and EdDSA are supported.

    Key pair types include SSH_RSA_2048, SSH_RSA_3072, SSH_RSA_4096, SSH_ED25519_256, SSH_ECDSA_256, SSH_ECDSA_384, and SSH_ECDSA_521.

    NOTE:
    • If you have not enabled your account key pair, this parameter is invalid. An SSH_RSA_2048 key pair will be created by default.
    • Currently, only the RSA algorithm can be used with Windows.
  5. (Optional) Configure private key hosting for the key pair. Skip this step if not needed.
    1. Select I agree to host the private key of the key pair.
    2. Set KMS Encryption Key and specify an encryption key.
      • Select from List: The current account's key or a shared key will be used.
        • Default Keys: The default encryption key kps/default provided by KMS is used to encrypt the private key.
        • Custom Keys: Select a custom key created on KMS to encrypt the private key. For details, see Creating a Custom Key. To use a shared key created using RAM, accept the shared key, and select it from the bottom of the KMS encryption drop-down list. Shared is displayed next to the key name.
      • Enter: An authorized key will be used. Only the ID of a symmetric key is supported.

        After permissions are granted, you can enter the ID of the authorized key and use it for encryption. For details, see Creating a Grant for a Custom Key.

    • Key Management Service (KMS) is a secure, reliable, and easy-to-use cloud service that helps you create, manage, and protect keys easily. For details, see Key Management Service.
    • If KMS encryption is used, what you use beyond the free quota given by KMS will be billed. For details, see How Is DEW Billed?
  6. Read and select I have read and agree to Key Pair Service Disclaimer.
  7. Click OK. The browser prompts you to download the private key file or automatically downloads the private key file.
    The file name is the specified key pair name with a suffix of .pem. Ensure that the private key has been downloaded locally and keep the private key secure.
    • If the private key is not hosted, it can be downloaded only once. Keep it properly.

      If the private key is lost, you can reset the key pair to bind a new key pair to the instance. For details, see Resetting a Key Pair.

    • If you have authorized Huawei Cloud to host the private key, you can export the hosted private key as required. For details, see Exporting a Private Key.
  8. After the key pair is created, you can view it in the key pair list, including the name, fingerprint, and status.
  1. Download and install PuTTY and PuTTYgen.

    https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

    PuTTYgen is a key generator, which is used to create a key pair that consists of a public key and a private key for PuTTY.

  2. Obtain the public and private keys.
    1. Double-click puttygen.exe to open PuTTY Key Generator.
      Figure 1 PuTTY Key Generator
    2. Configuring key pair parameters
      Imported SSH key pairs support the following cryptographic algorithms:
      • SSH-DSS
      • SSH-ED25519
      • ECDSA-SHA2-NISTP256
      • ECDSA-SHA2-NISTP384
      • ECDSA-SHA2-NISTP521
      • SSH_RSA: The length can be 2,048, 3,072, or 4,096 bits.
    3. Click Generate.

      The key generator automatically generates a key pair that consists of a public key and a private key. The content shown in the red box in Figure 2 is the public key.

      Figure 2 Generating the public and private keys
  3. Copy the public key to a .txt file and save it to a local directory.

    Do not save the public key by clicking Save public key because this operation will change the format of the public key content and cause the public key to fail to be imported to the management console.

  4. Save the private key.

    The format in which to save your private key varies depending on application scenarios. For security purposes, the private key can only be downloaded once. Keep it secure.

    • Saving the private key in .ppk format
      When using PuTTY to log in to a Linux FlexusX instance, you need to use the private key in .ppk format. Do as follows:
      1. On the PuTTY Key Generator page, choose File > Save private key.
        Figure 3 Saving a private key
      2. Save the converted private key, for example, kp-123.ppk, locally.
    • Saving the private key in .pem format
      When you use Xshell to log in to a Linux FlexusX instance or obtain the password for logging in to a Windows FlexusX instance, you need to use the private key in .pem format. Do as follows:
      1. Choose Conversions > Export OpenSSH key.

        If you use this private file to obtain the password for logging in to a Windows FlexusX instance, do not specify Key passphrase for Export OpenSSH key. Otherwise, you will fail to obtain the password.

        Figure 4 Saving a private key
      2. Save the private key, for example, kp-123.pem, locally.
  5. After the public and private keys are saved, import the public key to the system. For details, see Importing a Key Pair.
  1. Log in to the DEW console.Log in to the DEW console.
  2. In the navigation pane on the left, choose Key Pair Service. The Key Pair Service page is displayed.

    Key pairs consist of account key pairs and private key pairs. By default, the Account Key Pairs tab is displayed.

    An account key pair can be used by multiple IAM users in the account. A private key pair can only be used by the IAM user who created it. You can create key pairs of a specific category as needed.

  3. On the Key Pair Service page, click Import Key Pair.
    Figure 5 Importing a key pair
  4. In the slide-out Import Key Pair panel, click Import Public Key and select the public key file of the key pair.

    Batch import is supported. A maximum of 10 public keys can be imported all at one time. If the system displays a message indicating that the name already exists, it means the private key pair with the same name already exists in the account key pair or private key pair. In this case, you need to change the key pair name.

  5. Set the key pair name.

    After the public key is imported, the key pair name is automatically updated to the public key name. You can change the key pair name as needed. The key pair name can contain only letters, digits, underscores (_), and hyphens (-).

  6. (Optional) Configure private key hosting for the key pair. Skip this step if not needed.
    1. Select I agree to host the private key of the key pair.
    2. Copy the private key content of the key pair and paste it to the Private Key Content text box.
    3. Set KMS Encryption Key and specify an encryption key.
      • Select from List: The current account's key or a shared key will be used.
        • Default Keys: The default encryption key kps/default provided by KMS is used to encrypt the private key.
        • Custom Keys: Select a custom key created on KMS to encrypt the private key. For details, see Creating a Custom Key. To use a shared key created using RAM, accept the shared key, and select it from the bottom of the KMS encryption drop-down list. Shared is displayed next to the key name.
      • Enter: An authorized key will be used. Only the ID of a symmetric key is supported.

        After permissions are granted, you can enter the ID of the authorized key and use it for encryption. For details, see Creating a Grant for a Custom Key.

    • Key Management Service (KMS) is a secure, reliable, and easy-to-use cloud service that helps you create, manage, and protect keys easily. For details, see Key Management Service.
    • If KMS encryption is used, what you use beyond the free quota given by KMS will be billed. For details, see How Is DEW Billed?
  7. Read and select I have read and agree to Key Pair Service Disclaimer.
  8. Click OK.

Related Operations