DEV Community

Cover image for Using SSH Keys on Windows: Fixing “Unprotected Private Key File” Errors
Theodora
Theodora

Posted on

Using SSH Keys on Windows: Fixing “Unprotected Private Key File” Errors

When you use SSH to connect to an EC2 instance, the client checks the permissions on your private key file (.pem).

On Linux/macOS, this is enforced with chmod 400 (file is only readable by the owner).

On Windows with OpenSSH, the same check is enforced via NTFS file permissions (ACLs).

If the file is accessible to other groups like Authenticated Users, Users, or Everyone, SSH will refuse to use it and you’ll see:

The core concept

A private key must be owned by you and only readable by you.

On Windows, this is controlled by ACLs (Access Control Lists), not chmod.

To fix the issue, you must take ownership of the file and restrict its ACLs so only your account (plus SYSTEM/Administrators) can read it.

Step 1: Take ownership

If you downloaded or copied the file from another system, ownership may not match your account.

takeown /F "D:\3-tier-web-arch\nfs-key.pem"

Step 2: Remove inheritance

Prevent the file from inheriting broad permissions from the folder.

icacls "D:\3-tier-web-arch\nfs-key.pem" /inheritance:r

Step 3: Remove broad groups

Remove default Windows groups that make the file accessible to others

icacls "D:\3-tier-web-arch\nfs-key.pem" /remove:g "Authenticated Users" "Users" "Everyone"

Step 4: Grant only necessary access

Give your account read permission, and (optionally) keep SYSTEM and Administrators with full control

icacls "D:\3-tier-web-arch\nfs-key.pem" /grant "DESKTOP-ABCD\Amanda:(R)"
icacls "D:\3-tier-web-arch\nfs-key.pem" /grant "NT AUTHORITY\SYSTEM:(F)" "BUILTIN\Administrators:(F)"

or

If you want to do this in one clean command

icacls "D:\3-tier-web-arch\nfs-key.pem" /inheritance:r /grant:r `
"DESKTOP-ABCD\Amanda:(R)" "NT AUTHORITY\SYSTEM:(F)" "BUILTIN\Administrators:(F)"

Step 5: Verify

icacls "D:\3-tier-web-arch\nfs-key.pem"

Expected output

DESKTOP-ABCD\Amanda:(R)
BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)

Step 6:Connect to EC2

Now you can connect
ssh -i "D:\3-tier-web-arch\nfs-key.pem" ec2-user@

Best practice is to Store keys in ~.ssh

For convenience, place the key in your .ssh folder
mkdir "$env:USERPROFILE.ssh" -Force
copy "D:\3-tier-web-arch\nfs-key.pem" "$env:USERPROFILE.ssh\nfs-key.pem"

Then create a config file (~/.ssh/config) so you can connect with just

ssh my-ec2

SSH enforces strict private key security. On Windows, that means taking ownership of the PEM file and restricting its ACLs so only you (and optionally SYSTEM/Administrators) can read it. This is the Windows equivalent of chmod 400 on Linux.

Note- Run commands on Powershell as Administrator and then connect to EC2 Instance on VScode powershell Terminal or powershell on windows.

Top comments (0)