Updated on 2024-12-19 GMT+08:00

Creating a Key Pair

For system security reasons, you should use the key pair authentication mode to authenticate the user who attempts to log in to an ECS.

You can create a key pair and use it for authentication when logging in to your ECS.

If you have already created a key pair, you do not need to create again.

You can create a key pair using either of the following methods:

  • Creating a key pair on the management console

    The public key is automatically saved in Huawei Cloud. The private key can be downloaded and saved on your local host. You can also save your private keys in Huawei Cloud and manage them with KPS based on your needs. Huawei Cloud uses encryption keys provided by KMS to encrypt your private keys to ensure secure storage and access. For details, see Creating a Key Pair Using the Management Console.

    • The key pair created on the management console uses the SSH-2 (RSA, 2048) encryption and decryption algorithm.
    • Key pairs created by an IAM user on the management console can be used only by the user. If multiple IAM users need to use the same key pair, you can create an account key pair.
  • Creating a key pair using the PuTTYgen tool
    Both the public key and private key can be stored on the local host. For details, see Creating a Key Pair Using PuTTYgen.

    PuTTYgen is a tool for generating public and private keys. You can obtain the tool from https://www.putty.org/.

Prerequisites

When creating an account key pair for the first time, you need to obtain a user with the Tenant Administrator system role.

Constraints

  • IAM users cannot create account key pairs.

Creating a Key Pair Using the Management Console

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click on the left. Choose Security & Compliance > Data Encryption Workshop.
  4. In the navigation pane on the left, click Key Pair Service.
  5. In the displayed Private Key Pairs tab, create a private key pair or an account key pair as required.
  6. Click Create Key Pair. In the displayed dialog box, enter the key pair name, as shown in Figure 1.

    Figure 1 Creating a key pair

  7. (Optional) Select a key pair type. If no key pair is enabled for your account, an SSH_RSA_2048 key pair will be created by default.

    Currently, only the RSA algorithm can be used with Windows.

  8. Read and select I agree to host the private key of the key pair if needed. Select an encryption key from the KMS encryption drop-down list box. Skip this step if not needed.

    • KPS encrypts private keys using the encryption key provided by KMS. When you use the KMS encryption function of the key pair, KMS creates a default key kps/default for you to use.
    • For details about the custom keys created on KMS, see Creating a Key.
    Figure 2 Managing private keys

  9. Read the Key Pair Service Disclaimer and select I have read and agree to the Key Pair Service Disclaimer.
  10. Click OK. The browser automatically downloads the private key. When the private key is downloaded, a dialog box is displayed.
  11. Save the private key as prompted by the dialog box.

    • If the private key is not managed, it can be downloaded only once. Keep it properly. If the private key is lost, you can bind a key pair to the ECS again by resetting the password or key pair. For details, see How Do I Handle the Failure in Logging In to ECS After Unbinding the Key Pair?
    • If you have authorized Huawei Cloud to manage the private key, you can export the private key anytime as required.

  12. Click OK. After the key pair is created, you can view the information in the key pair list, including name, fingerprint, status, and private key.

    After the key pair is created, download the private key to your local host and keep it securely.

Creating a Key Pair Using PuTTYgen

  1. Generate the public and private keys. Double-click PuTTYgen.exe. The PuTTY Key Generator page is displayed, as shown in Figure 3.

    Figure 3 PuTTY Key Generator

  2. Configure the parameters as described in Table 1.

    Table 1 Parameter description

    Parameter

    Description

    Type of key to generate

    Encryption and decryption algorithm of key pairs to be imported to the management console. Currently, only SSH-2 RSA is supported.

    Number of bits in a generated key

    Length of a key pair to be imported to the management console. Currently, the following length values are supported: 1024, 2048, and 4096.

  3. Click Generate to generate a public key and a private key. See Figure 4.

    Contents highlighted by the blue-line box show a generated public key.
    Figure 4 Obtaining the public and private keys

  4. Copy the information in the blue square and save it in a local .txt file.

    Do not save the public key by clicking Save public key. If you save a public key using Save public key, the public key format will be changed and cannot be imported to the management console directly.

  5. Save the private key in PPK or PEM format.

    For security purposes, the private key can only be downloaded once. Keep it secure.

    Table 2 Format of a private key file

    Private Key File Format

    Private Key Usage Scenario

    Saving Method

    PEM

    • Use the Xshell tool to log in to the cloud server running the Linux operating system.
    • Manage the private key on the management console.
    1. Choose Conversions > Export OpenSSH key.
    2. Save the private key, for example, kp-123.pem, to a local directory.

    Obtain the password of a cloud server running the Windows operating system.

    1. Choose Conversions > Export OpenSSH key.
      NOTE:

      Do not enter the Key passphrase information. Otherwise, the password fails to be obtained.

    2. Save the private key, for example, kp-123.pem, to a local directory.

    PPK

    Use the PuTTY tool to log in to the cloud server running the Linux operating system.

    1. On the PuTTY Key Generator page, choose File > Save private key.
    2. Save the private key, for example, kp-123.ppk, to a local directory.

    After the public key and private key are correctly saved, you can import the key pair to the management console.