Establishing a key server on AWS

Modified on Tue, 07 Feb 2023 at 01:26 PM


This article explains how to use an existing AWS account for the storage of an organization's Lochbox encryption keys. The setup process required will vary based on the operating system of the computer being used (i.e. Windows versus Mac). 

Step 1: AWS account ID

At this time, organizations must share their AWS account ID with Lochbox support before a key server can be established so the non-public AMI can be shared. Your AWS account ID can be found by clicking on the user name in the top right of the AWS dashboard after sign-in.

Email the copied AWS account ID to

Step 2: Launch an instance

Once Lochbox Support has confirmed that the key server AMI has been shared with your AWS account, navigate to the EC2 dashboard and click launch instance to launch a new instance.

The following section outlines our recommended instance settings. Any settings not included below are left to the user's discretion.


The instance name should be something that can be easily identified as something correlating to your Lochbox key server.

Application and OS Images (Amazon Machine Image)

Select My AMIs > Shared with me and then find and select the Lochbox Remote Key Storage from the available Amazon Machine Image options

Instance type

The instance type should be at least a t2.small. Increasing the instance type may be required for enhanced Lochbox features (currently unavailable).

Key pair (login)

Creating a new key pair is recommended. However, if there is an existing key pair and you have a proficient understanding of the matter it could technically be used.

Create key pair

Key pair name

Assign any name to the key pair.

Key pair type

Select the encryption type that is compatible with the OS of the computer being used for this process.

For MacOS, select ED25519.

For Windows, select RSA.

Private key file format

Select the file format that is compatible with the SSH client you will be using.

For MacOS, use .pem (OpenSSH for Mac)

For Windows, use .ppk (PuTTy for Windows)

Example for Windows:

Storage (volumes)

Expand the available/desired storage volume to view it's settings. Change Encrypted to Yes and then select an available KMS key.

Launch instance

Once you completed the above you can launch the instance and download the private key file.

Step 3 will vary based on on your computer's operating system and has been separated into a different guide for Mac and Windows.

Step 3 (Mac): SSH Configuration via Terminal

The following steps should not be completed until your newly launched instance has passed all status checks.

Moving the private key to .ssh directory

Once the private key file has been downloaded it will need to be moved to the .ssh directory. The .ssh directory can be located by opening a Finder window, pressing Command+Shift+G, then searching ~/.ssh. If no search result is found, a .ssh directory may need to be created. To create the .ssh directory, open Terminal and enter:

$ mkdir /home/username/.ssh

Replace username with the active username on the computer.

Locate the private key file that was downloaded from AWS and add it to the hidden .ssh folder that was found via Finder.

Changing permissions for the private key file

Open the Terminal app and enter the following command to change the permissions for the private key file:

chmod 600 .ssh/file-name.cer

Replace file-name with the name of your private key file. Leave the Terminal app open after hitting 'enter' for the command.

Accessing the Key Server Console (KSC)

With the Terminal app still open, enter the following command:

ssh -i .ssh/file-name.cer config@##.###.##.123

Replace ##.###.##.123 with the Public IPv4 Address for the newly created instance on AWS (obtained from the instances dashboard on AWS) then hit enter. When asked if you want to continue connecting type yes then enter.

Proceed to Step 4 once the Key Server Console loads.

Step 3 (Windows): SSH Configuration via PuTTY

The following steps should not be completed until your newly launched instance has passed all status checks.

PuTTY setup

Open PuTTY on a Windows computer. Enter the Public IPv4 Address for the newly created instance on AWS (obtained from the instances dashboard on AWS) in the field for Host Name (or IP address). If wanted, assign a name for the session in the Saved Sessions field then click Save.

Using the categories on the left, 1) select next to the SSH category then 2) select Auth. Click Browse to locate the .ppk file that was obtained from AWS.

After you have selected the appropriate .ppk file, click open to launch the PuTTY session. You will be prompted to trust the host (your AWS IP address). Select accept or connect once to continue with key server setup.

Once a successful connection has been made, type config and press enter to login to the Key Server Console (KSC).

Step 4: Key Server Console (KSC) configuration

The Key Server Console (KSC) will load after a secure session has been established. You will be prompted to login to your Lochbox account using your username/email and password. Enter these credentials then press enter to connect the AWS instance hosting your key server to Lochbox so that your encryption keys can be stored under your control.

After system setup is complete you will be prompted to enter a backup encryption passkey. This password is separate from your Lochbox account password and used to encrypt your organization's encryption key backups stored on your AWS server. This password cannot be recovered and should be recorded in the most secure way possible; without it you cannot access your AWS data.

When prompted, type the associated number to "Exit configuration" and press enter to exit the KSC.

Step 5: Associate AWS key server with your organization

Visit the Lochbox Admin Portal and sign in to your account. Click the user profile at the top right then select My Remote Servers. Your AWS key server should be visible. Click authorize to authorize the server for use with your account. 

Once authorized, your key server will be given a temporary name based on the IP address and AWS server location. Click the blue temporary name. Assign a name to your key server for identification purposes. (Note: one key server can be used to host the keys for multiple organizations.)

Click the blue + to select and associate the desired organization(s) to this key server. Be sure and save your activity before leaving the page.

Key server setup is now complete and you can begin using Lochbox with all encryption keys for your organization being stored by a server under your control.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article