Help Center/ Data Encryption Workshop/ Getting Started/ Binding a Key Pair and Logging In to an ECS Using a Private Key
Updated on 2025-07-22 GMT+08:00
View PDF
Share

Binding a Key Pair and Logging In to an ECS Using a Private Key

A key pair, including one public key and one private key, are generated based on a cryptographic algorithm. The public key is automatically saved in Key Pair Service (KPS), while the private key can be saved to the user's local host. If you have configured the public key in a Linux ECS, you can use the private key to log in to the ECS for better security.

This section describes how to bind a key pair and log in to an ECS using a private key.

Procedure

The following uses an SSH_RSA_2048 key pair as an example to describe how to create a key pair and use the key to log in to an ECS. The following figure shows the process.

Figure 1 Creating a key pair and using it to log in to an ECS

Procedure

Description

Preparations

Register a Huawei ID, enable Huawei Cloud services, top up the account, and grant KPS permissions to the account.

Step 1: Creating a Key Pair

Create a key pair and select the key pair type.

Step 2: Binding a Key Pair to an ECS

Bind a key pair to the ECS.

Step 3: Logging in to an ECS Using a Private Key

After the key pair is bound, use the private key to log in to the ECS.

Preparations

  1. Before creating key pair, register a Huawei Cloud account and enable Huawei Cloud services. For details, see Signing Up for a HUAWEI ID and Enabling Huawei Cloud Services.

    If you have enabled Huawei Cloud, skip this step.

  2. An ECS has been created. For details, see Purchasing an ECS in Custom Config Mode.

    The SSH port (22 by default) of the ECS security group must allow traffic from the 100.125.0.0/16 CIDR block in advance. For details about ports and CIDR blocks, see Enhancing Security for SSH Logins to Linux ECSs.

  3. The KPS permission has been granted to the account. For details, see Creating a User and Authorizing the User the Permission to Access DEW.
    Table 1 KPS system policies

    Role/Policy Name

    Description

    Type

    Dependency

    DEW KeypairFullAccess

    Full permissions for KPS in DEW. Users with these permissions can perform all the operations allowed by policies.

    System-defined policy

    None

    DEW KeypairReadOnlyAccess

    Read-only permissions for KPS in DEW. Users with this permission can only view KPS data.

    System-defined policy

    None

Step 1: Creating a Key Pair

  1. Log in to the DEW console.
  2. In the navigation pane on the left, choose Key Pair Service.
  3. In the Private Key Pairs tab, click Create Key Pair, and configure the parameters as shown in Figure 2. For details about the parameters, see Table 2.
    Figure 2 Creating a private key pair
    Table 2 Parameters for creating a private key pair

    Parameter

    Example Value

    Description

    Type

    SSH_RSA_2048

    Signature algorithm of the SSH key pair. RSA, ECDSA, and EdDSA are supported.

    KMS Encryption Key

    NOTE:

    Select I agree to host the private key of the key pair and select an encryption key.

    kps/default
    KMS supports the following encryption modes:
    • Select from List: Select this if you want to use the key used or shared by the current account. Select the default key kps/default or a custom key created on KMS.
    • Enter: Enter the ID of the authorized key. Enter an encryption key if an authorized key is used. Only symmetric algorithm key IDs are supported. Do not enter an asymmetric key ID.
  4. Select I have read and agree to Key Pair Service Disclaimer and click OK. The private key file will be automatically downloaded. You need to save the file as prompted.

Step 2: Binding a Key Pair to an ECS

After a key pair is bound to an ECS, you can use the private key to log in to the ECS.

  1. In the navigation pane on the left, choose Key Pair Service. On the displayed page, click the ECS List tab.
  2. Locate the target shut-down ECS and click Bind in the Operation column.
  3. On the displayed page, select a key pair. Then, select Disable the password login mode and I have read and agree to Key Pair Service Disclaimer.
    Figure 3 Binding a key pair to a shut-down ECS
  4. Click OK.
  1. In the navigation pane on the left, choose Key Pair Service. On the displayed page, click the ECS List tab.
  2. Locate the target running ECS and click Bind in the Operation column.
  3. On the displayed page, configure the parameters as shown in Figure 4.
    • Set New Key Pair and Root Password.
    • The default port is 22.
    • Select Disable the password login mode and I have read and agree to Key Pair Service Disclaimer.
    Figure 4 Binding a key pair


  4. Click OK.

Step 3: Logging in to an ECS Using a Private Key

  1. Check whether the private key file has been converted to .ppk format.
    • If yes, log in to the ECS server.
    • If no, perform the following operations to convert the format of the private key file and then log in to ECS.

      Open the third-party PuTTY, import the .pem private key file, and export the converted .ppk private key file.

      Figure 5 Converting the format of the private key file
  2. Use PuTTY to log in to ECS.
    • Enter the IP address of the ECS. Port 22 is used by default.
      Figure 6 IP address of ECS
    • Enter the username of the ECS image.
      Figure 7 Username
    • Upload the private key file in .ppk format.
      Figure 8 Uploading the private key file
    • Click Open.