Help Center/ Elastic Cloud Server/ User Guide/ Passwords and Key Pairs/ Key Pairs/ Application Scenarios for Using Key Pairs
Updated on 2025-08-28 GMT+08:00

Application Scenarios for Using Key Pairs

Key Pairs

Key pairs (SSH key pairs) are a set of security credentials for identity authentication when you remotely log in to ECSs.

A key pair consists of a public key and a private key. Key Pair Service (KPS) stores the public key and you store the private key. If you have bound a public key to a Linux ECS, you can use the corresponding private key, rather than a password, to log in to the ECS. You do not need to worry about password interception, cracking, or leakage.

You can use Data Encryption Workshop (DEW) to manage key pairs, including creating, importing, binding, viewing, resetting, replacing, unbinding, and deleting key pairs.

This section describes how to create and import a key pair. For details about other operations, see Key Pair Service.

Working Rules

  • Encryption and decryption
    • When you use a public key to encrypt data, only the corresponding private key can be used to decrypt the data. For example, if a user (user A) wants to send messages to another user (user B) securely, user A can use user B's public key to encrypt the messages, and user B uses its own private key to decrypt the messages.
    • If you use a private key to encrypt data, the public key can be used to decrypt data. This method is mainly used for digital signature to verify the information source and integrity.
  • Digital signature
    • User A uses its private key to generate a signature for data, and then sends the data and signature to user B.
    • User B uses user A's public key to verify the signature. If the verification is successful, the data was not tampered with and was sent from user A.

Scenarios

When purchasing an ECS, you are advised to select the key pair login mode. For Windows ECSs, key pairs are required to decrypt the passwords so that you can use the decrypted password to log in.

  • Logging in to a Linux ECS

    You can directly use a key pair to log in a Linux ECS.

Key Pair Operation Guide

Table 1 Key pair operation guide

Scenario

Description

Creating a key pair

If no key pair is available, create one and use the generated private key for login authentication. You can use either of the following methods to create a key pair:

Importing a key pair

If you have a key pair locally, you can import the key pair on the management console to let the system maintain it.

Binding a key pair to an ECS

  • When creating a Linux ECS, select the key pair as the login credential and select an available key pair. After the ECS is created, the selected key pair is bound to the ECS. For details, see Purchasing an ECS in Custom Config Mode.
  • For an existing Linux ECS, change the login credential to the key pair and bind a key pair to the ECS on the management console.

Changing the key pair of an ECS

  • If the private key is lost, you can bind a new key pair to the ECS. For details, see Resetting a Key Pair.
  • If the private key is disclosed, you can use a new key pair to replace the public key in the ECS. For details, see Replacing a Key Pair.
  • If you do not need to use a key pair to log in to an ECS, you can unbind a key pair.

Obtaining the password for logging in to an ECS

Windows ECSs only support password-based login. If you use a key pair as the login credential when creating an ECS, you need to obtain the administrator password generated during initial ECS installation. For details, see Obtaining the Password for Logging In to a Windows ECS.

Using a private key to log in to the Linux ECS

If you use a key pair as the login credential for a Linux ECS, you can log in to the ECS using an SSH key pair.

Viewing a key pair

You can view key pair information on the KPS page of the DEW console, including the key pair names, fingerprints, and statuses.

Notes and Constraints

  • Key pairs can be used to remotely log in to Linux ECSs only.
  • The SSH key pairs created on the management console support the following cryptographic algorithms:
    • SSH-ED25519
    • ECDSA-SHA2-NISTP256
    • ECDSA-SHA2-NISTP384
    • ECDSA-SHA2-NISTP521
    • SSH_RSA: The length can be 2,048, 3,072, or 4,096 bits.
  • Key pairs can be used only for ECSs in the same region.
  • Imported key pairs support the following cryptographic algorithms:
    • SSH-DSS
    • SSH-ED25519
    • ECDSA-SHA2-NISTP256
    • ECDSA-SHA2-NISTP384
    • ECDSA-SHA2-NISTP521
    • SSH_RSA: The length can be 2,048, 3,072, or 4,096 bits.
  • Store your private key in a secure place because you need to use it to prove your identity when logging in to your ECS. The private key can be downloaded only once.