Windows PEM to PPK Complete Guide: PuTTY Key Conversion & SSH Connection Setup

by

🌏 閱讀中文版本

Windows PEM to PPK Complete Guide: PuTTY Key Conversion & SSH Connection Setup

In the world of cloud computing and remote server management, SSH (Secure Shell) connections are essential tools for system administrators and developers. For Windows users, PuTTY is one of the most popular SSH clients. However, cloud services like AWS EC2 and Azure VMs typically provide private keys in PEM format, while PuTTY uses PPK (PuTTY Private Key) format. This article provides a detailed explanation of how to convert PEM files to PPK files on Windows, covering complete connection setup and troubleshooting.

Why Convert PEM to PPK?

SSH Key Format Differences

Feature PEM Format PPK Format
Full Name Privacy-Enhanced Mail PuTTY Private Key
Standard OpenSSH standard format PuTTY proprietary format
Platform Linux, macOS, Windows (OpenSSH) Windows (PuTTY, WinSCP)
File Header -----BEGIN RSA PRIVATE KEY----- PuTTY-User-Key-File-2:
Encryption Optional (via passphrase) Optional (via passphrase)
Compatibility Widely supported PuTTY toolchain only

Common Use Cases

  • AWS EC2: Downloaded key pairs are in .pem format
  • Azure VM: Supports SSH public key authentication, private keys typically in PEM format
  • Google Cloud Platform: Compute Engine instances use OpenSSH format
  • Self-hosted Linux servers: Usually generate OpenSSH format keys

If you use PuTTY as your SSH client, you need to convert these PEM format keys to PPK format.

Method 1: Convert Using PuTTYgen (GUI)

Step 1: Install PuTTY Suite

Download and Install

  1. Visit official website: https://www.putty.org/
  2. Select installer:
    • 64-bit x86: putty-64bit-X.XX-installer.msi
    • 32-bit x86: putty-X.XX-installer.msi
    • ARM64: putty-arm64-X.XX-installer.msi
  3. Run installer:
    • Accept license agreement
    • Choose installation path (default: C:Program FilesPuTTY)
    • Complete installation

Suite Contents

After full installation, you’ll have access to:

  • PuTTY: Main SSH client
  • PuTTYgen: Key generation and conversion tool
  • Pageant: SSH key management agent
  • PSFTP: SFTP client
  • PSCP: SCP client
  • Plink: Command-line SSH tool

Step 2: Convert Key Using PuTTYgen

Launch PuTTYgen

Method 1: Start Menu

Windows Key → Type "PuTTYgen" → Click "PuTTYgen"

Method 2: Direct Execution

C:Program FilesPuTTYputtygen.exe

Import PEM Key

  1. Click “Conversions” menu
  2. Select “Import key”
  3. Browse and select your .pem file
    • File type defaults to “All Files (*.*)”
    • Select your PEM key (e.g., my-key.pem)
  4. If key has passphrase, enter password

Key Information Display

After successful import, PuTTYgen window shows:

  • Key fingerprint: Key fingerprint (for verification)
  • Key comment: Key comment (editable)
  • Public key: Public key content (copyable)
  • Parameters: Key parameters (type, bit size)

Save as PPK Format

  1. (Optional) Modify key comment
    • Enter descriptive text in “Key comment” field
    • Example: AWS-EC2-Production-Server
  2. (Optional) Set passphrase
    • Enter password in “Key passphrase” field
    • Re-enter in “Confirm passphrase” field
    • Recommended: Strongly advised to set password for security
  3. Click “Save private key” button
  4. If no password set, warning message appears
    • “Are you sure you want to save this key without a passphrase to protect it?”
    • Choose “Yes” or “No” based on requirements
  5. Choose save location and name
    • Recommend descriptive name: aws-ec2-prod.ppk
    • Save in secure location (e.g., C:UsersYourName.ssh)

Step 3: Verify Conversion Result

# Check PPK file content (PowerShell)
Get-Content C:UsersYourName.sshaws-ec2-prod.ppk -Head 5

# Sample output:
# PuTTY-User-Key-File-2: ssh-rsa
# Encryption: none
# Comment: AWS-EC2-Production-Server
# Public-Lines: 6
# AAAAB3NzaC1yc2EAAAADAQABAAABAQC...

Method 2: Convert Using WinSCP (Integrated Approach)

WinSCP is another Windows SFTP/SCP client with built-in PEM to PPK conversion.

Steps

  1. Download and install WinSCP
  2. In login window, click “Advanced” → “SSH” → “Authentication”
  3. In “Private key file” field, browse and select your .pem file
  4. WinSCP automatically prompts conversion
  5. Click “OK”, choose location to save PPK file

Method 3: Using PowerShell / OpenSSH (Windows 10/11)

Windows 10 (1809+) and Windows 11 include OpenSSH built-in, can directly use PEM keys.

Check if OpenSSH is Installed

# Check OpenSSH client
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH.Client*'

# If not installed, install it
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Direct Connection Using PEM Key

# Set key permissions (important!)
icacls "C:UsersYourName.sshmy-key.pem" /inheritance:r
icacls "C:UsersYourName.sshmy-key.pem" /grant:r "%username%:R"

# Use SSH to connect
ssh -i C:UsersYourName.sshmy-key.pem ubuntu@ec2-xx-xx-xx-xx.compute.amazonaws.com

Advantage: No format conversion needed, direct use of OpenSSH standard tools.

Connecting to Remote Server Using PPK Key

Method 1: Using PuTTY

  1. Launch PuTTY
  2. Session Settings
    • Host Name: Enter server IP or domain name
    • Port: 22 (SSH default port)
    • Connection type: SSH
  3. SSH Key Settings
    • Expand left menu: Connection → SSH → Auth
    • Click “Browse…”
    • Select your PPK file
  4. (Optional) Save connection settings
    • Return to “Session” category
    • Enter name in “Saved Sessions” (e.g., AWS Production)
    • Click “Save”
  5. Click “Open” to start connection
  6. First connection shows security warning
    • “The server’s host key is not cached in the registry”
    • Click “Yes” to trust and save
  7. Enter username
    • AWS EC2 Ubuntu: ubuntu
    • AWS EC2 Amazon Linux: ec2-user
    • Azure Ubuntu VM: Username you set during creation

Method 2: Using Pageant (Key Agent)

Pageant is PuTTY’s SSH key agent, automatically provides keys without manual selection each connection.

  1. Launch Pageant
    • Windows Key → Type “Pageant” → Execute
    • Pageant runs in system tray (displays as computer icon)
  2. Load PPK key
    • Double-click Pageant icon in system tray
    • Click “Add Key”
    • Select your PPK file
    • If key has passphrase, enter password
  3. Connect using PuTTY
    • No need to specify key file when connecting
    • Pageant automatically provides key

Method 3: Using WinSCP File Transfer

  1. Launch WinSCP
  2. In login window, configure:
    • File protocol: SFTP
    • Host name: Server IP
    • Port number: 22
    • User name: Login user
  3. Click “Advanced” → “SSH” → “Authentication”
  4. In “Private key file” select your PPK file
  5. Click “Login” to connect

Common Troubleshooting

Issue 1: “PuTTYgen doesn’t support this type of key file”

Cause: PEM file format incorrect or corrupted.

Solution:

  1. Check PEM file content: 
    Get-Content my-key.pem
    Confirm file starts with: 
    -----BEGIN RSA PRIVATE KEY-----
or
-----BEGIN PRIVATE KEY-----
or
-----BEGIN OPENSSH PRIVATE KEY-----
  2. If OpenSSH new format, convert using OpenSSH tools: 
    ssh-keygen -p -m PEM -f my-key.pem

Issue 2: “Server refused our key”

Cause: Server’s public key doesn’t match your private key, or permission settings incorrect.

Solution:

  1. Confirm using correct key pair
  2. Check server-side ~/.ssh/authorized_keys file permissions: 
    chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
  3. Verify public key content matches correctly

Issue 3: “Disconnected: No supported authentication methods available”

Cause: Server hasn’t enabled public key authentication, or sshd_config misconfigured.

Solution:

Check server-side SSH configuration:

sudo nano /etc/ssh/sshd_config

# Confirm following settings:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Restart SSH service
sudo systemctl restart sshd

Issue 4: “Unable to use key file” (Permission Issue)

Cause: Windows file permissions too permissive.

Solution:

# Remove inherited permissions
icacls "C:pathtokey.ppk" /inheritance:r

# Grant current user full control
icacls "C:pathtokey.ppk" /grant:r "%username%:F"

# Verify permission settings
icacls "C:pathtokey.ppk"

Security Best Practices

1. Key Management

  • Protect keys with strong passphrase: Recommend at least 20 characters
  • Rotate keys regularly: Replace every 6-12 months
  • Backup keys: Store in encrypted backup device or password manager
  • Don’t share private keys: Each user should have their own key pair
  • Avoid storing keys in shared locations: Like network drives or cloud sync folders

2. File Permissions

# Ensure private keys only accessible by current user
icacls "C:UsersYourName.ssh*.ppk" /inheritance:r
icacls "C:UsersYourName.ssh*.ppk" /grant:r "%username%:F"

3. Key Strength

  • RSA: At least 2048 bits (4096 bits recommended)
  • ED25519: Modern, more secure algorithm (recommended)
  • ECDSA: 256 bits or higher

4. Server-Side Security Settings

# Disable password login (allow only key authentication)
sudo nano /etc/ssh/sshd_config

# Modify following settings:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

# Restart SSH
sudo systemctl restart sshd

5. Use SSH Credential Management Tools

  • Windows Credential Manager: Integrated with Windows
  • KeePass: Open-source password manager
  • 1Password / Bitwarden: Commercial solutions supporting SSH key storage

Advanced Tips

Batch Convert Multiple PEM Files

Automate conversion using PowerShell:

# Batch conversion script
$pemFiles = Get-ChildItem -Path "C:keys" -Filter "*.pem"

foreach ($pem in $pemFiles) {
    $ppkFile = $pem.FullName -replace '.pem$', '.ppk'
    
    # Use PuTTYgen command-line mode
    & "C:Program FilesPuTTYputtygen.exe" $pem.FullName -o $ppkFile
    
    Write-Host "Converted: $($pem.Name) → $([System.IO.Path]::GetFileName($ppkFile))"
}

Using WSL (Windows Subsystem for Linux)

If you have WSL installed, use Linux native SSH tools:

# Use PEM key in WSL
chmod 600 /mnt/c/Users/YourName/.ssh/my-key.pem
ssh -i /mnt/c/Users/YourName/.ssh/my-key.pem ubuntu@server-ip

Conclusion

Converting PEM format keys to PPK format is a necessary step for Windows users to connect to cloud servers using PuTTY. Through the three methods introduced in this article:

  • PuTTYgen: Suitable for GUI users, full-featured
  • WinSCP: Suitable for scenarios requiring file transfer
  • OpenSSH: Suitable for Windows 10/11 users, no conversion needed

You can choose the most suitable method based on your needs. Regardless of which method you choose, remember to follow security best practices to protect your SSH keys.

Quick Checklist:

  • ☐ PuTTY or OpenSSH installed
  • ☐ Successfully converted PEM to PPK (if using PuTTY)
  • ☐ Key passphrase configured
  • ☐ File permissions verified
  • ☐ Successfully connected to remote server
  • ☐ Private key backed up to secure location

Happy connecting!

Related Articles

Related posts:

  1. Windows PEM 轉 PPK 完整指南:PuTTY 金鑰轉換與 SSH 連線設定
  2. 如何更新 iOS App 的 Deep Link 設定:完整 AASA 指南
  3. AWS 存儲方案完整比較:Amazon FSx vs S3 深度解析與選擇指南
  4. AWS Storage Solutions Complete Comparison: Amazon FSx vs S3 Deep Dive & Selection Guide

Leave a Comment