How to Recover a Locked-Out EC2 Instance After Losing Your Key Pair

If you’ve accidentally deleted the .pem file for an EC2 instance key pair, you’re in a tight spot. You can’t SSH in, and every guide says “generate a new key pair,” but that doesn’t help you recover the one instance that matters. I’ve helped teams recover from this exact scenario, and I’ll walk you through the process step by step.

The Problem

You’re locked out of an EC2 instance with an error like “Permission denied (publickey)” even though you’re certain you’re using the correct username and IP. The .pem file is gone, lost in a drive wipe or deleted from your laptop. Here’s what you see:

Error Type	Description
Permission Denied	Permission denied (publickey). No further authentication methods available
No Identity	Could not open a connection to your authentication agent
Key Mismatch	Host key verification failed or key is not recognized

The instance is still running. AWS can’t help you restore the key. But you can still recover access using EBS volume magic.

Why Does This Happen?

Key pair .pem file deleted — The private key is gone. AWS doesn’t store private keys, so there’s no “reset password” button.
Wrong key used for instance — You generated a new key pair, but the instance was launched with a different one.
Key pair region mismatch — Key pair and instance are in different regions (keys are region-specific in AWS).
Windows converted .pem encoding — Windows saved the file as CRLF line endings instead of LF, making it invalid for SSH.

The Fix

The recovery method is to detach the root EBS volume from the locked instance, attach it to a rescue instance that you can access, modify the authorized_keys file to add a new public key, then reattach it. Here’s the exact process:

Step 1: Stop the Locked Instance

# Stop the instance (do NOT terminate)
aws ec2 stop-instances \
  --instance-ids i-0abc123def456ghij \
  --region us-east-1

Wait until the state is “stopped” (check with aws ec2 describe-instances).

Step 2: Detach the Root Volume

Note the device name — typically /dev/xvda for Linux instances. Check in the EC2 console under Root device or use:

# Find the root volume ID and device name
aws ec2 describe-instances \
  --instance-ids i-0abc123def456ghij \
  --region us-east-1 \
  --query 'Reservations[0].Instances[0].BlockDeviceMappings[0].[DeviceName,Ebs.VolumeId]' \
  --output text

Detach the volume:

aws ec2 detach-volume \
  --volume-id vol-0abc123def456ghij \
  --region us-east-1

Wait for state to become “available” (1–2 seconds).

Step 3: Launch or Use a Rescue Instance

You need an instance you can SSH into. Use an existing instance or launch a temporary rescue instance with a key pair you have. For this walkthrough, assume rescue instance ID is i-rescue123.

Step 4: Attach the Detached Volume to the Rescue Instance

# Attach the locked instance's volume to the rescue instance
aws ec2 attach-volume \
  --volume-id vol-0abc123def456ghij \
  --instance-id i-rescue123 \
  --device /dev/xvdf \
  --region us-east-1

Wait for state to become “attached”. Then SSH to the rescue instance and mount the volume:

# SSH to rescue instance first
ssh -i rescue-key.pem ec2-user@<rescue-public-ip>

# Once inside the rescue instance, mount the attached volume
sudo mkdir -p /mnt/recovery
sudo mount /dev/xvdf1 /mnt/recovery

# Verify it mounted
ls -la /mnt/recovery/

You should see the root filesystem of the locked instance.

Step 5: Add a New Public Key to authorized_keys

Generate a new key pair on your local machine (or use an existing one):

ssh-keygen -t rsa -b 4096 -f ~/new-recovery-key -N ""
# Extract the public key
cat ~/new-recovery-key.pub

SSH back to the rescue instance and add the public key:

# Inside the rescue instance
sudo bash
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADA... (your new public key)" >> /mnt/recovery/home/ec2-user/.ssh/authorized_keys
chmod 600 /mnt/recovery/home/ec2-user/.ssh/authorized_keys

Step 6: Unmount and Detach

# Inside rescue instance
sudo umount /mnt/recovery

# Back on your local machine
aws ec2 detach-volume \
  --volume-id vol-0abc123def456ghij \
  --region us-east-1

Step 7: Reattach to Original Instance and Boot

# Reattach to the locked instance as root device
aws ec2 attach-volume \
  --volume-id vol-0abc123def456ghij \
  --instance-id i-0abc123def456ghij \
  --device /dev/xvda \
  --region us-east-1

# Start the instance
aws ec2 start-instances \
  --instance-ids i-0abc123def456ghij \
  --region us-east-1

Wait for the instance to reach “running” state, then SSH in with your new key:

ssh -i ~/new-recovery-key ec2-user@<public-ip>

You’re back in!

Is This Safe?

This process requires instance downtime (typically 10–15 minutes). The volume swap is safe as long as you note the original device name (/dev/xvda) and reattach it correctly. Do not terminate the instance — just stop it. Always verify the device name before detaching to avoid accidentally unmounting the wrong volume.

Key Takeaway

Lost your .pem file? Don’t panic. Use the EBS volume detach-attach-recover method to regain access. The key insight is that the OS filesystem is separate from the EC2 key pair — if you can modify the filesystem, you can add a new public key. Always keep encrypted backups of your key pairs.

Have questions or ran into a different EC2 access issue? Connect with me on LinkedIn or X.