Complete guide to creating SSH keys for Amazon servers and cloud data centers

Why should I create and use an SSH key?

In cloud environments and international data centers, secure and automated login to servers is a cornerstone of every DevOps operation, web hosting, rendering, AI, and database management. SSH keys They are a standard, secure, and scriptable method of authentication and replace weak passwords.

Using public/private keys reduces the risk of brute-force attacks, makes it easier to automate and implement finer-grained access controls.

Prerequisites and basic concepts

Private key: Your confidential file that should not be disclosed.

Public key: A file that is placed on the server (authorized_keys).

Common algorithms: ed25519 (recommended), rsa 4096.

Routes: ~/.ssh/id_* On Linux/WSL and C:\Users\ \.ssh On Windows.

Accesses: chmod 700 ~/.ssh and chmod 600 For the private key.

Creating an SSH key on Linux/macOS/WSL

It is recommended to ed25519 Use unless you need RSA for compatibility reasons.

Steps for generating and managing keys in Shell

ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/id_ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -C "[email protected]" -f ~/.ssh/id_rsa -o -a 100
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
ls -la ~/.ssh
cat ~/.ssh/id_ed25519.pub
ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 [email protected]
chmod 400 my-aws-key.pem
ssh -i my-aws-key.pem [email protected]

Note: In AWS, you often choose or import the key when you launch an instance. If you have a PEM file, use that as the Identity.

Creating an SSH key in Windows (PowerShell / Windows OpenSSH)

Windows 10/11 has an OpenSSH client; you can also use PuTTY/Puttygen to connect with PuTTY.

PowerShell commands

ssh-keygen -t ed25519 -C "[email protected]" -f $env:USERPROFILE\.ssh\id_ed25519
Start-Service ssh-agent
ssh-add $env:USERPROFILE\.ssh\id_ed25519

File path:

• C:\Users\ \.ssh\id_ed25519

• C:\Users\ \.ssh\id_ed25519.pub

Convert PEM to PPK with PuTTYgen

General steps:

• Open PuTTYgen.

• File > Load private key and file my-aws-key.pem Load (show all files).

• Save private key as my-aws-key.ppk And use in PuTTY (Connection > SSH > Auth > Private key file).

Importing Public Keys in AWS EC2 and Other Cloud Panels

AWS Console: EC2 > Key Pairs > Import key pair. File name and content .pub Enter.

When creating an instance, you can select an existing key pair. Other datacenters often have an Upload/Import SSH key option in the panel.

cloud-init example for adding public key

#cloud-config
ssh_authorized_keys:
  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... [email protected]

Add key to GitLab/GitHub and use in CI

For GitLab: User Settings > SSH Keys And paste the public key. Go to the project to Deploy keys.

In CI/CD, upload the private key as a protected variable and use it in the job by creating a file with restricted access (chmod 600).

Server and security settings after key installation

Step 1: Set permissions.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_ed25519

Then settings /etc/ssh/sshd_config Check and update:

• PasswordAuthentication no

• PermitRootLogin no

• PubkeyAuthentication yes

• You can AllowUsers Set to restrict users.

• UseDNS no And change the port if desired.

sudo systemctl restart sshd

Firewall:

sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw allow 2222/tcp

Use Fail2ban or CrowdSec to prevent brute-force:

sudo apt install fail2ban

For sensitive servers, use bastion/jump host to restrict direct access to private networks.

Practical tips for different applications

For traders (VPS for trading)

Choose a location: Close to broker or exchange servers for lowest latency. We have over 85 global locations that can provide a location close to your target market.

It is recommended to restrict SSH to only static IP or via VPN:

sudo ufw allow from 203.0.113.5 to any port 22

For gamers (gaming VPS)

For game servers, use locations with strong peering and proper CDN/BGP. Use SSH keys instead of passwords and a bastion host to reduce the attack surface.

For AI and rendering (GPU Cloud)

Use strong keys (ed25519/RSA4096) to connect to GPU servers and assign a separate user and key for each project.

rsync -avz -e "ssh -i ~/.ssh/id_ed25519 -p 2222" /local/path user@remote:/remote/path

For hosting and GitLab hosting

Use a server-specific key (Deploy key) with limited access to automatically access the server to private repositories.

Key management, rotation and standards

• Rotate keys periodically (e.g. every 6 to 12 months).

• Remove the old keys from authorized_keys And delete the cloud panel.

• Use the passphrase for the private key and store it in a password manager.

• In organizations, use SSH certificates and CA for centralized management (OpenSSH CA).

Additional Tips and Troubleshooting

When faced with an error Permission denied (publickey) Check that the public key is in ~/.ssh/authorized_keys It exists and the permissions are correct.

sudo journalctl -u sshd -e
sudo tail -f /var/log/auth.log

If you are using ProxyJump or jump host, the config file is useful:

Host bastion
  HostName bastion.example.com
  User ubuntu
  IdentityFile ~/.ssh/id_ed25519

Host internal-*
  ProxyJump bastion
  User deploy
  IdentityFile ~/.ssh/id_deploy

From ServerAliveInterval and ServerAliveCountMax Use in ssh config to prevent sudden disconnections of sessions.

Final security recommendations

Restricting SSH access to IPs, using a VPN or private network, and using anti-DDoS services for sensitive servers are other important points.

Summary and suggested checklist

• Key creation: ed25519 with passphrase

• File protection: chmod 700 ~/.ssh && chmod 600 private_key

• Activating SSH-Agent and adding keys

• Upload the public key to the AWS panel or datacenter or use cloud-init

• Disabling PasswordAuthentication and PermitRootLogin

• Firewall/UFW and Fail2ban or CrowdSec

• Using bastion, IP restriction, and VPN for sensitive access

• Regular key duplication and rotation