When working with cloud virtual machines, authentication is often the most confusing topic for beginners:
- Why do we need SSH keys before a VM exists?
- What exactly is a
.pemfile in AWS? - Why does Windows EC2 require password decryption?
- What is PuTTY, and why does it use
.ppkfiles? - Why canβt we just use PowerShell or a normal terminal?
This blog explains all of it from first principles, without assuming prior knowledge.
1. Does my laptop really support SSH?
Yes β your laptop already has SSH support.
Modern operating systems ship with OpenSSH, a standard cryptographic and networking tool:
- Windows 10 / 11 β OpenSSH included
- Linux β OpenSSH included
- macOS β OpenSSH included
Thatβs why commands like these work out of the box:
ssh
ssh-keygen
π SSH is not provided by AWS or Azure.
Itβs an operating system feature.
2. What is an SSH key pair?
When you generate an SSH key, your OS creates two mathematically linked files:
| File | Example name | Lives where | Purpose |
|---|---|---|---|
| Private key | key, id_rsa, .pem | Your laptop only | Proves your identity |
| Public key | key.pub | Given to the VM | Verifies your identity |
β οΈ The private key must never be shared.
The public key is safe to distribute.
3. Why must SSH keys exist before the VM is created?
Cloud VMs do not generate their own SSH keys.
Instead, the flow is:
- You create an SSH key pair locally
- You give the public key to the cloud provider
- The provider injects it into the VM during creation
On Linux VMs, the public key is stored in:
~/.ssh/authorized_keys
This file defines who is allowed to log in.
4. Where is the private key actually used?
This is a common misunderstanding.
The private key is never sent to the cloud.
It is used only on your laptop, later, when you connect:
ssh -i private_key user@vm-ip
At login time:
- SSH client uses your private key
- VM checks the stored public key
- Cryptographic proof succeeds
- Access is granted
The cloud platform is not involved in this step.
5. AWS EC2 .pem files β what are they really?
In AWS, when you create a key pair:
- AWS generates an SSH key pair
- AWS keeps the public key
- You download the private key as a
.pemfile
So a .pem file is simply:
An SSH private key
Nothing more.
6. Why Linux EC2 uses .pem directly
Linux EC2 instances:
- Use SSH
- Use key-based authentication
- Do not allow passwords by default
Thatβs why this works:
ssh -i mykey.pem ec2-user@<public-ip>
The private key is used directly for authentication.
7. Why Windows EC2 is different
Windows EC2 instances:
- Do not use SSH for login
- Use RDP (Remote Desktop Protocol)
- RDP requires a username and password
But AWS does not want to send passwords insecurely.
So AWS does this instead:
- Generates a random Administrator password
- Encrypts it using your public key
- Stores the encrypted password
- You download the
.pem(private key) - You decrypt the password locally
- You log in via RDP using that password
Important distinction
| Linux EC2 | Windows EC2 |
|---|---|
| SSH | RDP |
| Key-based login | Password-based login |
.pem used directly | .pem used to decrypt password |
So the .pem file is not used to log in directly to Windows.
8. What exactly is PuTTY?
PuTTY is not just a terminal.
PuTTY is:
A Windows-native SSH client
Before Windows 10:
- Windows had no built-in SSH
- PuTTY was the standard way to:
- SSH into Linux servers
- Manage SSH keys
- Save sessions
Thatβs why PuTTY became popular.
9. Is PuTTY the same as PowerShell or CMD?
No.
| Tool | What it is |
|---|---|
| CMD | Shell |
| PowerShell | Shell |
| Windows Terminal | Terminal UI |
| PuTTY | SSH client |
PuTTY:
- Opens a terminal window
- Handles network authentication
- Manages SSH sessions
10. Can PuTTY log into Linux VMs?
β Yes β very commonly.
PuTTY is widely used to:
- SSH into Linux EC2
- SSH into Azure Linux VMs
- SSH into on-prem Linux servers
11. Can PuTTY log into Windows VMs?
β No.
Windows login uses RDP, not SSH.
For Windows VMs you use:
- Remote Desktop Connection (mstsc)
PuTTY does not support RDP.
12. Why does PuTTY use .ppk files?
PuTTY does not use OpenSSH key formats.
| Tool | Private key format |
|---|---|
| OpenSSH | .pem, .key |
| PuTTY | .ppk |
A .ppk file is simply:
PuTTYβs private key format
Same cryptographic key, different encoding.
13. Why do we convert .pem β .ppk?
Because PuTTY cannot read OpenSSH private keys.
Conversion is done using PuTTYgen:
.pem / .key βββΆ puttygen βββΆ .ppk
This conversion:
- Does not change the key
- Only changes the file format
14. Why not just use PowerShell today?
You absolutely can.
Modern Windows supports:
ssh user@ip
So PuTTY is no longer required for most users.
Why PuTTY still exists
- Legacy environments
- Saved SSH sessions
- Serial console access
- Enterprise standardization
- Habit and familiarity
15. One unified mental model
YOUR LAPTOP
βββββββββββββββββββββββ
β Private Key β βββ Never shared
βββββββββββββββββββββββ
β
β proves identity
βΌ
SSH Authentication
β²
β matches
βββββββββββββββββββββββ
β Public Key β βββ Stored on VM
βββββββββββββββββββββββ
16. Final key takeaways
- SSH comes from your operating system
- Keys are created before VM creation
- Public key goes to the VM
- Private key stays on your machine
.pemis always a private key- Linux uses SSH directly
- Windows uses RDP and passwords
- PuTTY is an SSH client, not a Windows login tool
.ppkis just a different key format
Closing thought
Once you understand that identity is proven locally and verified remotely, SSH authentication stops being confusing and starts feeling elegant.
This single concept unlocks:
- Secure cloud access
- Passwordless infrastructure
- Bastion hosts
- Zero-trust architectures
- Safer operations at scale