Connecting to EC2 from Chrome’s Secure Shell using only a PEM file

Gee, what a title. I know this post is going to be popular.

First, you need to generate your public key from your private key like this:

ssh-keygen -y -f yourkey.pem >
Then, in Secure Shell, select the “Import…” link to bring up a file picker. You must import two files for each identity.  A private key and a public key.  For example, you would select both “yourkey.pem” and “”.
It should look something like this:
Then just connect! Once connected, you can bookmark the page for instant access.

41 thoughts on “Connecting to EC2 from Chrome’s Secure Shell using only a PEM file”

  1. Thanks for the guide. I had problems connecting but after reading the docs I found this.

    You must import two files for each identity. One should be the private key
    145 and should not have a file extension. The other should be the public key,
    146 and must end in “.pub”. For example, “id_rsa” and “”.

    1. Thank you for this note Bjarki! This was super helpful. At first I assumed the names didn’t matter, and named the files differently. Then I tried naming them the same but with .pem. (e.g. yourkey.pem and But this still didn’t work. The requirement was that the private key (pem) file must have no extension. So e.g. yourkey and

    2. I got it to work by giving the Private Key 600 permissions and 400 to the Public and removing the file extension on the private key. Much appreciated!

    1. Billy, you’ll need to run ssh-keygen on a third device — the chromebook & crosh alone can’t do it. If you have access to a mac or a pc with cygwin etc, then you can use chrome remote desktop to do the job, then email the resultant files (one made by ssh-keygen, and the other a copy of the pem file with the pem suffix removed) back to your chromebook — google drive won’t work here — but after that it works swimmingly. Thanks Matt!

  2. What I found is that both the private and public filenames MUST match, i.e. if converting dave.pem then the files need to be called dave (privatekey) and (public key).

    When I attempted to use dave.pem and it just refused to import the identity (although it would have been nice if it had told me what the problem was!)

  3. What I found is that both the private and public filenames MUST match, i.e. if converting dave.pem then the files need to be called dave (privatekey) and (public key).

    When I attempted to use dave.pem and it just refused to import the identity (although it would have been nice if it had told me what the problem was!)

    1. David, after weeks of research you finally hit the nail on the head for me. The filenames must match with the exception of the .pub extension! Thank you.

  4. When I try to follow the instructions using both billy.pem and

    I receive the following:

    Enter passphrase for key ‘/.ssh/billy’:
    Permission denied (publickey).
    NaCl plugin exited with status code 255.

    I didn’t actually set it up to use a password, so I’m wondering where the problem may reside.

  5. Hi there, I’ve followed the instructions but with no luck. I’m using Secure Shell on a Samsung 550 Chromebook, trying to connect to an AWS EC2 instance. I imported my private and public keys (renamed the .pem file to remove the extension) but I keep getting this:
    Loading NaCl plugin… done.
    Permission denied (publickey).
    NaCl plugin exited with status code 255.
    (R)econnect, (C)hoose another connection, or E(x)it?

    I’ve tried restarting the instance but it didn’t make any difference. I’d really appreciate any advice anybody can give me.

      1. Can you be a bit more specific. I had the same problem, and trying your solution did not help. Specifically, I took the private key file and created the RSA public key using:

        ssh-keygen -f id.pem -e -m pem >

        Then, I removed the .pem extension, such that I had “id” and “” for private and public keys, both in RSA format (with the BEGIN RSA … and END RSA ….

        I loaded both files into Secure Shell chrome extension, used the correct username and ec2 instance address, and got the same error as you did:

        Loading NaCl plugin… done.
        Permission denied (publickey).
        NaCl plugin exited with status code 255.
        (R)econnect, (C)hoose another connection, or E(x)it?

        Any ideas?

        1. I did this same thing.

          I can get the private RSA key (aws_key — after removing.pem) and I can get the public RSA key ( When I load them in I get a 255er.

          Anyone get past this recently?

  6. you may need to modify the permission of your .pem file, like below, in order to successfully create the .pub key

    chmod 600 yourkey.pem

    and then run,
    ssh-keygen -y -f yourkey.pem >

    and have a fruitful login to server

  7. This works like a charm!

    The only additional thing that I did is to rename “yourkey.pem” to simply “yourkey” (as per Bjarki), imported both the files via the import button, and voila!

  8. Thanks all! Was scratching my head until I saw Eran’s comment re: making sure your public key is in RSA format for Secure Shell. To recap several comments and how to make this work…

    Presumably (and this is my case) I wanted to be able to use Secure Shell on a Chromebook w/o fooling with developer mode. Using developer mode, obviously you would just use crosh, drop into a shell and setup your keys in your .ssh directory…end of story…but let’s use Secure Shell on a virgin chromebook…

    It is assumed you have some kind of access to your .pem file for accessing your EC2 instance AND you can connect to that instance in some way shape or form. In my case, I hopped from another server that had the private key setup so I could access my EC2 instance.

    1) extract your public key from the .pem file in RSA format!

    $ openssl rsa -in user.pem -pubout >

    2) Download the pem file and the public key to your Chromebook – I mailed it to myself…note I made the name of the .pem file ‘user’ and dropped the .pem extension which is necessary to allow Secure Shell to successfully import the keys. As stated in above comments, Secure Shell wants two files, one with no extension (your private key) and one with the same name but with a extension of .pub (your public key).

    $ uuencode user.pem user | mail -s ‘private key’
    $ uuencode | mail -s ‘public key’

    3) import the files (both of them – user, to Secure SSH. Click on “Import…” and select both of the files from the file picker

    4) set up your host and username and connect – bingo

  9. Thanks for this! It was just the little tip I needed when I was in a pinch and had nothing but my Chromebook to work with.

    Speaking of which, I was able to follow the instructions in the article entirely from my Chromebook without a PC or Mac by making use of the PythonAnywhere service (, which lets you run a remote bash shell in the browser. I was able to upload my PEM file from the Chromebook through their web-based file management tools, run the ssh-keygen command in their bash environment, download the resulting files back to my Chromebook and delete all my keys from PA’s server.

    This is not a paid endorsement of PythonAnywhere, I’m just a big fan of their service. I should point out that they have a free “Beginner” level of account which would be enough to do the work I described. Hope that helps someone else in the future like it helped me!

    1. Hey Dave! I’m a complete newbie to this sort of thing, in addition im only 15 YO. While using the pythonanywhere service it tells me invalid syntax after inputting “ssh-keygen -y -f yourkey.pem >”. I was running Python 2.7 on the website. Any reply is greatly appreciated!

  10. OK, as about a million people have read this thread and had various levels of success I’ll add my tuppence worth.

    I tried everything listed above using the default Amazon linux instance. None of the suggestions worked. This is with the ssh extension to Chrome.

    Eventually I deleted that instance and created a Ubuntu instance. This time I just downloaded the *.pem file and copied it. Renamed one of them as *.pub and the other I just removed the extension. Loaded both files into the ssh identity, made sure port 22 was added and bang! Connected first time. No generation of files required on a third party system.

    1. Kester’s solution worked perfectly for me. What was giving me the 255 as well was my user was off. Make sure you’re using the right one, which in my case, was ubuntu (not ec2-user nor root nor whatever).

  11. from my pixel with secure shell extension installed:
    1. downloaded my .pem file in google drive
    2. in gdrive, made a copy of it, renamed it the same but with .pub
    3. started secure shell
    4. entered the public dns info ec2-user@yourpublicdnsinfofromec2console
    5. clicked import and selected both .pem and .pub
    6. enter

    it worked, no need to convert it with ssh command on another machine

  12. Here’s the complete set of steps for the Linux host I want to log in to, which doesn’t allow password-based logins.

    1) Generate the keyfiles with a passphrase. I used the following command on the Linux host:
    $ ssh-keygen -f chromebook
    This creates files “chromebook” and “”.
    2) Add the contents of the public keyfile, e.g., “”, to ~/.ssh/authorized_keys
    $ cat >> ~/.ssh/authorized_keys
    3) Copy the private and public key files to the Chromebook. I copied them via sneakernet and an SD card
    4) Import BOTH private AND public key files via the SSH extension dialog box. Yes, this is unusual.
    5) Add “-v” to the SSH arguments. Without this, I never saw the SSH extension’s prompt to permit access to the target host, which caused the login attempt to be rejected.
    6) Connect to the target host.
    7) Answer “y” when prompted about connecting to the target host.
    8) Enter your key’s passphrase when prompted.
    9) You can now remove the “-v” from the SSH arguments
    10) Yes, you’ll need to enter the passphrase every time you log onto the host.

  13. I seem to have a problem when I want to create a 2nd connection with a different key. I keep trying to import, but it doesn’t let me.

    However, if I delete the connections that use the other key file (key1 and, for instance), then I am able to import key2 and into the connection I’m setting up.

    Does anyone else experience this issue?

  14. At least in version 0.21 the public key is not needed for successful import of private key.
    Secondly, the Identity drop-down is not updated with the imported key, remember to refresh with F5 😉

Leave a Reply

Your email address will not be published. Required fields are marked *