How to Reset Your SSH Key on an AWS EC2 Instance

If you've lost your SSH key for an EC2 instance, don't panic. In this guide, I'll walk you through the process of resetting your SSH key without compromising your instance. By following these steps, you can safely regain access to your instance.

Overview

The process involves creating a temporary EC2 instance, detaching the root volume from the original instance, mounting it on the temporary instance, updating the authorized_keys file with a new public key, and finally reattaching the volume to the original instance. Before you begin, make sure you have an Elastic IP address associated with your instance so that the IP address remains consistent throughout the process.

Step-by-Step Guide

1. Log in to the AWS Console

• Navigate to the EC2 service.
• Select Instances from the menu on the left.
• Identify your instance and click on its Instance ID.

2. Prepare the Backup of the Original Instance Volume

• Create a backup of the volume

• Click on the Storage tab to view the Volume ID and device name.

• Create a snapshot by clicking on the Volume ID, selecting Actions > Create Snapshot, and entering a description. Wait until the snapshot process is complete.

• Ensure Elastic IP:

• Make sure your instance has an Elastic IP address. If not, assign one to avoid losing connection details when restarting the instance.

3. Create a Temporary Instance for the Reset

• Launch a new instance:

• Click on Launch Instances.

• Give the new instance a name (e.g., "ssh-key-reset") and make sure it is launched in the same availability zone as the original instance.

• The default values can be used for the operating system and instance type.

• Create a new key pair:

• When prompted for key pair options, select Create a new key pair (e.g., "ssh-key-reset").

• Download the key file (make sure to store it securely).

• Note for Windows users: Use a PPK file with PuTTY, while Linux and macOS users can use the PEM file.

4. Detach the Volume from the Original Instance

• Stop the instance:

• Select your original instance and click on Instance State > Stop Instance.

• Wait until the instance state changes to "Stopped".

• Detach the volume:

• Go to the Storage tab, click on the Volume ID, and select Actions > Detach Volume.

• Wait until the volume status changes to "Available".

5. Attach the Volume to the Temporary Instance

• Attach volume:
• While the volume is still selected, click on Actions > Attach Volume.
• Select the temporary instance you just created.
• Leave the device name as default (or note it down for later).

Troubleshooting: If you receive an error message that the volume cannot be attached because the instance has not been stopped, make sure the temporary instance is stopped before attaching the volume.

• Stop the temporary instance:
• If necessary, stop the temporary instance and then reattach the volume.
• Start the temporary instance:
• Once the volume is attached, start the temporary instance.

6. Connect to the Temporary Instance via SSH

• Set up the correct permissions:

• Open your terminal and make sure your new key file has the correct permissions: chmod 600 /path/to/ssh-key-reset.pem

• SSH into the instance:

• Use the SSH command to connect: ssh -i /path/to/ssh-key-reset.pem ec2-user@<temporary-instance-ip>

• Accept the key fingerprint:

• Type "yes" when prompted to confirm the key fingerprint.

7. Mount the Detached Volume

• Become root:
• Run the following command to switch to the root user: sudo su -
• Identify the device:
• Use parted -l to list available drives and find the partition (usually something like /dev/xvdf1 for a volume with a single partition).
• Mount the volume:
• Mount the volume to a temporary directory: mount /dev/xvdf1 /mnt

8. Update the Authorized Keys File

• Find the user directory:

• Navigate to the user's home directory on the original instance. For example, if the old operating system was Amazon Linux with a user named ec2-user, then: cd /mnt/home/ec2-user/.ssh

• Generate a new SSH key pair (optional):

• You can generate a new SSH key pair on the temporary instance: ssh-keygen -f new_ssh_key

• This will create two files: a private key (new_ssh_key) and a public key (new_ssh_key.pub).

• Add the new public key:

• Open the authorized_keys file with your preferred editor (e.g., vi): vi authorized_keys

• Append the contents of new_ssh_key.pub to the end of the file.

• Save and exit the editor (in vi, press Escape, type :wq, and press Enter).

9. Detach and Reattach the Volume

• Shut down the temporary instance:

• Shut down the temporary instance to safely detach the volume: shutdown -h now

• Detach the volume from the temporary instance:

• In the AWS Console, go to the Storage tab, select the volume, and choose Actions > Detach Volume.

• Reattach the volume to the original instance:

• Reattach the volume to the original instance with the original device name (e.g., /dev/sda1).

10. Restart the Original Instance and Test the Connection

• Start the original instance:

• In the AWS Console, select the original instance and click on Instance State > Start Instance.

• SSH into the original instance:

• Connect to your original instance using your newly added SSH key: ssh -i /path/to/new_private_key.pem ec2-user@<elastic-ip-address>

• Verify access:

• After logging in, you should have full access with your new SSH key.

11. Clean Up Temporary Resources

• Terminate the temporary instance:
• In the AWS Console, select the temporary instance, click on Instance State > Terminate Instance, and confirm the action.

Conclusion

Resetting your SSH key on an AWS EC2 instance may seem daunting at first, but if you carefully follow the steps above, you can safely restore access without risking data loss. Always remember to create a snapshot of your volume before making changes, and make sure you work within the same availability zone to avoid complications.

Happy cloud computing!

---

Need help with your AWS infrastructure? Contact me for a free consultation.