When working with cloud virtual machines, authentication is often the most confusing topic for beginners:

• Why do we need SSH keys before a VM exists?
• What exactly is a .pem file in AWS?
• Why does Windows EC2 require password decryption?
• What is PuTTY, and why does it use .ppk files?
• Why can’t we just use PowerShell or a normal terminal?

This blog explains all of it from first principles, without assuming prior knowledge.

---

1. Does my laptop really support SSH?

Yes — your laptop already has SSH support.

Modern operating systems ship with OpenSSH, a standard cryptographic and networking tool:

• Windows 10 / 11 → OpenSSH included
• Linux → OpenSSH included
• macOS → OpenSSH included

That’s why commands like these work out of the box:

ssh
ssh-keygen

👉 SSH is not provided by AWS or Azure.
It’s an operating system feature.

---

2. What is an SSH key pair?

When you generate an SSH key, your OS creates two mathematically linked files:

File	Example name	Lives where	Purpose
Private key	key, id_rsa, .pem	Your laptop only	Proves your identity
Public key	key.pub	Given to the VM	Verifies your identity

⚠️ The private key must never be shared.
The public key is safe to distribute.

---

3. Why must SSH keys exist before the VM is created?

Cloud VMs do not generate their own SSH keys.

Instead, the flow is:

1. You create an SSH key pair locally
2. You give the public key to the cloud provider
3. The provider injects it into the VM during creation

On Linux VMs, the public key is stored in:

~/.ssh/authorized_keys

This file defines who is allowed to log in.

---

4. Where is the private key actually used?

This is a common misunderstanding.

The private key is never sent to the cloud.

It is used only on your laptop, later, when you connect:

ssh -i private_key user@vm-ip

At login time:

1. SSH client uses your private key
2. VM checks the stored public key
3. Cryptographic proof succeeds
4. Access is granted

The cloud platform is not involved in this step.

---

5. AWS EC2 .pem files — what are they really?

In AWS, when you create a key pair:

• AWS generates an SSH key pair
• AWS keeps the public key
• You download the private key as a .pem file

So a .pem file is simply:

An SSH private key

Nothing more.

---

6. Why Linux EC2 uses .pem directly

Linux EC2 instances:

• Use SSH
• Use key-based authentication
• Do not allow passwords by default

That’s why this works:

ssh -i mykey.pem ec2-user@<public-ip>

The private key is used directly for authentication.

---

7. Why Windows EC2 is different

Windows EC2 instances:

• Do not use SSH for login
• Use RDP (Remote Desktop Protocol)
• RDP requires a username and password

But AWS does not want to send passwords insecurely.

So AWS does this instead:

1. Generates a random Administrator password
2. Encrypts it using your public key
3. Stores the encrypted password
4. You download the .pem (private key)
5. You decrypt the password locally
6. You log in via RDP using that password

Important distinction

Linux EC2	Windows EC2
SSH	RDP
Key-based login	Password-based login
.pem used directly	.pem used to decrypt password

So the .pem file is not used to log in directly to Windows.

---

8. What exactly is PuTTY?

PuTTY is not just a terminal.

PuTTY is:

A Windows-native SSH client

Before Windows 10:

• Windows had no built-in SSH
• PuTTY was the standard way to:
  • SSH into Linux servers
  • Manage SSH keys
  • Save sessions

That’s why PuTTY became popular.

---

9. Is PuTTY the same as PowerShell or CMD?

No.

Tool	What it is
CMD	Shell
PowerShell	Shell
Windows Terminal	Terminal UI
PuTTY	SSH client

PuTTY:

• Opens a terminal window
• Handles network authentication
• Manages SSH sessions

---

10. Can PuTTY log into Linux VMs?

✔ Yes — very commonly.

PuTTY is widely used to:

• SSH into Linux EC2
• SSH into Azure Linux VMs
• SSH into on-prem Linux servers

---

11. Can PuTTY log into Windows VMs?

❌ No.

Windows login uses RDP, not SSH.

For Windows VMs you use:

• Remote Desktop Connection (mstsc)

PuTTY does not support RDP.

---

12. Why does PuTTY use .ppk files?

PuTTY does not use OpenSSH key formats.

Tool	Private key format
OpenSSH	.pem, .key
PuTTY	.ppk

A .ppk file is simply:

PuTTY’s private key format

Same cryptographic key, different encoding.

---

13. Why do we convert .pem → .ppk?

Because PuTTY cannot read OpenSSH private keys.

Conversion is done using PuTTYgen:

.pem / .key  ──▶ puttygen ──▶ .ppk

This conversion:

• Does not change the key
• Only changes the file format

---

14. Why not just use PowerShell today?

You absolutely can.

Modern Windows supports:

ssh user@ip

So PuTTY is no longer required for most users.

Why PuTTY still exists

• Legacy environments
• Saved SSH sessions
• Serial console access
• Enterprise standardization
• Habit and familiarity

---

15. One unified mental model

        YOUR LAPTOP
 ┌─────────────────────┐
 │ Private Key         │  ◀── Never shared
 └─────────────────────┘
            │
            │ proves identity
            ▼
      SSH Authentication
            ▲
            │ matches
 ┌─────────────────────┐
 │ Public Key          │  ◀── Stored on VM
 └─────────────────────┘

---

16. Final key takeaways

• SSH comes from your operating system
• Keys are created before VM creation
• Public key goes to the VM
• Private key stays on your machine
• .pem is always a private key
• Linux uses SSH directly
• Windows uses RDP and passwords
• PuTTY is an SSH client, not a Windows login tool
• .ppk is just a different key format

---

Closing thought

Once you understand that identity is proven locally and verified remotely, SSH authentication stops being confusing and starts feeling elegant.

This single concept unlocks:

• Secure cloud access
• Passwordless infrastructure
• Bastion hosts
• Zero-trust architectures
• Safer operations at scale