Decrypting the EC2 Windows Password
Windows and SSH keys
Most of us are familiar with the process of authenticating to a Linux or FreeBSD instance on AWS using an SSH key pair, but how do we authenticate to a Windows instance, and how are SSH keys involved?
First, remember that SSH key exist as a pair - a public key that you can share with anyone, and a private key that you should never share with anyone.
NOTE: This is why you should not create your key pair using the AWS console - that would mean a website had your private key ever before you had it. Instead, you should create your key pair locally, then only store the public key in EC2.
Once you have a key pair, the private key can be used to and access servers, decrypt data, and digitally sign files, which is why leaving it unencrypted is insane. Always encrypt your private key with passphrase so it can only be used by you.
When you create a Windows instance, EC2 configures it with a random password for the local Administrator principal. EC2 also stores the password, encrypted with your SSH key, in the instance metadata in EC2.
Getting the password
The AWS CLI includes a command to fetch the encrypted Windows password: aws ec2 get-password-data.
$ aws ec2 get-password-data --instance-id i-0388c9328259a3a50
{
"InstanceId": "i-1234567890abcdef0",
"Timestamp": "2025-12-12T14:45:23+00:00",
"PasswordData": "VuBxfMS62rwfGtzddcpfsXt5xituwbPDx8NGozHAmQmyHHMcbggRPERBDxY4UiiByUJgzmiSL2CusyR5L4DygwbIQhPvDAXzQ5H
Z8RuEUYGYRkBqYD4h0qT817W62J2dT7e1hE60Ax4mOSrbb3Kf3aX0D0OPDgDGSgaan0gvcCVydqGm64fW+CPGOsMSMCdwKwVl4hUERup96Yfl/yXTVMrgqig
RXdQwTYXEdZ0RMBR2C4vYavgfVOm4MJsUwz+Vd+S/LFzzzjc9t25+yoRnN0+/Cy9f6SeWe1yNyXtV+/azN0EsU+twwzZce0UCbv+RQBOsReuPVYye3fbOut9
N5HZxvrYoISR+i2C3KyCxQdQgzkbCOoze1E8CtABaOJZ+BxO1iw+iOIGx+ZwOVRKeSkdToW7r4U5qv9lHGjkyqvb4TMJvkif1x4L26+ieMz3Kt4e7OaVXLSF
0mLHlP9K2nwb2ArlMJpWQ5Nj5ZBzYbc+AkN/ArM8/CVrp3bsKAI3kHrc9ErHp+6qfZOfanGT1/0r2b4AS9Lw+EOoxYCkv8K6SKF67Om3suwHgRjIRfy3QYmo
+i2SdHDYpTA7VGA0lpJy7Nfhv+OUeQZXB4vu2sVmDSF++1HmpWIOR92mtIdTt+ASwyhB3KiOwTM/RRuEavAnciKqRoYheFLgsxhyva30="
}
According to the documentation, we should be able to decrypt the PasswordData field by providing the private key used to launch the instance in the --priv-launch-key argument, like this:
$ aws ec2 get-password-data --instance-id i-1234567890abcdef0 \
--priv-launch-key ~/.ssh/id_rsa
{
"InstanceId": "i-1234567890abcdef0",
"Timestamp": "2013-08-30T23:18:05.000Z",
"PasswordData": "&ViJ652e*u"
}
But this only works if you are using an unencrypted private key, which is insane. Try to use it with an encrypted key, and you’ll get this error:
$ aws ec2 get-password-data --instance-id i-0388c9328259a3a50 \
--priv-launch-key ~/.ssh/id_rsa
Unable to decrypt password data using provided private key file.
Maybe the web console will offer a solution…
Your options here are to either upload your private key, or paste your private key into the textbox. Remember that you should never share your private key with anyone, so the idea of uploading it to a website is a big red flag.
I’ve examined this web site and confirmed that it decrypts the password in the browser without sending your private key off to AWS, but that is not the point. No website should ever ask for your private key, and if you encounter one that does, you should never provide it. That is just training users to embrace terrible security habits.
But let’s say you want to ignore that advice and throw caution to the wind. This site will only work with an unencrypted key, and unencrypted keys are insane.
Solution
The solution is to decrypt the password data locally, using our encrypted private key. The password is given to us as Base64-encoded ciphertext. So, we use the base64 -d command to decode it, and pass the results into openssl pkeyutl to decrypt. When openssl encounters our encrypted private key, it will prompt for the passphrase.
aws ec2 get-password-data --output text --instance-id <INSTANCE-ID> \
| cut -f2 | base64 -d \
| openssl pkeyutl -decrypt -inkey <SSH-PRIVATE-KEY-FILE>
Finally, something sane.