[AWS] EC2 SSH Connection Error: How to Fix the UNPROTECTED PRIVATE KEY FILE Error (ssh pem key permission setup)

1. The error situation

When trying to SSH into an AWS EC2 instance, there are cases where the connection is refused along with the warning message below.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0755 for 'myKey.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "myKey.pem": bad permissions
ubuntu@{my-ip}: Permission denied (publickey).

If you look closely at the key phrase, it's "Permissions for 'myKey.pem' are too open." That is, the .pem key file's permissions are open too widely, so the system judged it a security risk and blocked the connection.

The 'UNPROTECTED PRIVATE KEY FILE' warning message that appears on SSH connection Figure 1. The 'UNPROTECTED PRIVATE KEY FILE' warning message that appears on SSH connection

2. The cause

SSH clients on Linux or macOS environments are designed, for security, to use only "a key that no one but the owner can read."

  • The problematic permissions: permissions like 0755 or 0644 mean that not only I but also other users (group, others) can read this key.
  • The security rule: if there's a possibility the private key is exposed to others, SSH doesn't trust that key and refuses the connection.

3. The fix: chmod 400

In the terminal, move to the directory where the key file (.pem) is stored, then change the permissions to owner-only read permission (400), and it's resolved instantly.

# change the pem key file's permissions to 400
chmod 400 myKey.pem

Note: if 400 still doesn't work, you can try 600, but the AWS guide usually recommends 400.

💡 The meaning of Linux file permission 400

Permission target Number Detailed meaning
Owner 4 Read possible (no modify/execute)
Group 0 No permissions
Others 0 No permissions

4. Verifying the result

After changing the permissions, try connecting again.

ssh -i "myKey.pem" ubuntu@<Your-EC2-IP>

Now you can confirm that you connect to the instance normally, without the warning.


📦 Migrated from the Tistory blog I used to run. Original: taehyuklee.tistory.com/31

Share𝕏f

Comments