This post demonstrates how to generate a public and private key pair using PuTTYgen on Windows; and how to convert a .pem ( Privacy Enhanced Mail certificate file ) private key to .ppk (PuTTY Private Key) format to use with PuTTY on Windows.
SSH Public Key Authentication to Access Linux (1) explained a fundamental Public Key Infrastructure (PKI) concept, public and private key pair.
This post demonstrates:
- how to generate a public and private key pair using PuTTYgen on Windows; and
- how to convert a .pem ( Privacy Enhanced Mail certificate file ) private key to .ppk (PuTTY Private Key) format to use with PuTTY on Windows.
If a key pair is generated from Mac or Linux, AWS EC2 Linux instance for example; the private key is likely to be in .pem format. See Lifewire explanation on pem file: https://www.lifewire.com/pem-file-4147928. We can also use PuTTYgen to convert the .pem key to .ppk file format.
Download PuTTY and PuTTYgen
PuTTYgen standards for Putty Key Generator, which is downloadable from https://www.puttygen.com/.
PuTTY is the SSH client application, available from https://www.puttygen.com/download-putty.
Please check your Operating System version (This PC > Properties OR Control Panel > System and Security > System) for 64-bit or 32-bit installer.
Generate RSA Key Pair on Windows
Upon the installation of PuTTY and PuTTYgen, you will find the applications on Windows as below. Alternatively, the applications are also available in Portal Execution file. It may be convenient, if your Windows administrator imposes constraints on software installation.
Start PuTTYgen and generate the RSA public and private key pair following the sequence marked in the screenshot below.
RSA is an cryptography algorithm. See TechTarget for the explanation of RSA algorithm https://searchsecurity.techtarget.com/definition/RSA.
- Step 1 to confirm ‘RSA’ is selected for ‘Type of key to generate’;
- Step 2 to confirm ‘2048’ or higher value is defined – good security practice. 2048 bits is the key size, see DigiCert for RSA key size information https://www.digicert.com/TimeTravel/math.htm;
- Step 3 to click ‘Generate’ button. the value in the box marked with 3 is your OpenSSH public key. You shall provide this to your Linux admin so that the public key (i.e. lock) can be installed on the destination server (i.e. treasure vault). Please do NOT select ‘Save public key’, because we will need the public key in OpenSSH format instead of PuTTY format;
- Step 4 to ‘Save private key’. Select whether you’d require a passphrase to protect your private key. It is recommended for better security so that if your private key is compromised you still have the additional protection with passphrase. However, if you are not sure how to use passphrase, just confirm no passphrase protection for a lab purpose (diagram below).The private key will be saved in .ppk format PuTTY and WinSCP (for file transfer via SSH tunnel) accepts private key in .ppk format; and
- Note, if your private key saved from Step 4 does not show .ppk. Please add .ppk as extension to your saved key. You can use this approach only if the key is saved in ppk format in Step 4.
In future, if you forget the private key is for which public key, you can always import, via ‘Load’ button, the private key to PuTTYgen. The public key will show in the top window.
Convert .PEM to .PPK Private Key Format
If the key pair is generated from a Linux box or Mac computer. Your private key is in .pem format and shall be converted to .ppk format to use with PuTTY or WinSCP on Windows.
The following screenshot, with marked sequencing, demonstrates the key conversion steps.
- Step 1&2 to confirm RSA algorithm and 2048 bits key size or above;
- Step 3: to click ‘Load’ to load the required .pem private key to convert; and
- Step 4: to click ‘Save private key’ and save the converted key.
In the next post, we will boot up a Linux server, create a new test user and install the user’s public key to the server to grant access. The user will use the private key for access authentication.