How to Convert PEM to PPK (PuTTY Private Key)
If you have an SSH private key in PEM format (commonly used by OpenSSH / Linux / AWS) and you need to connect with PuTTY on Windows, you usually must convert it to PPK format (PuTTY Private Key).
This guide shows the safest, most common methods to convert *.pem → *.ppk, and how to use the resulting key.
When do you need PEM → PPK?
You likely need a PPK when you:
- Use PuTTY (Windows) for SSH
- Have a
*.pemkey from AWS EC2 or another provider - Want to load your key into Pageant (PuTTY SSH agent)
If you're using Windows Terminal / PowerShell with OpenSSH (
sshcommand), you usually do not need PPK — PEM works directly.
Before you start (security notes)
- Never share your private key (
.pemor.ppk) with anyone. - Keep it in a private folder (not a public repo).
- Use a passphrase when exporting your PPK (recommended).
Method 1 — Convert PEM to PPK using PuTTYgen (Windows GUI)
Step 1 — Install PuTTY
Download and install PuTTY (it includes PuTTYgen).
Step 2 — Open PuTTYgen
- Start Menu → PuTTYgen (or run
puttygen.exe)
Step 3 — Load your PEM key
- Click Load
- In the file picker, switch file type to:
- All Files (.) (because by default it shows only
.ppk)
- All Files (.) (because by default it shows only
- Select your
your-key.pem
If PuTTYgen warns about the key format, that is normal for some PEM variations — continue.
Step 4 — (Recommended) Add a passphrase
In PuTTYgen:
- Key passphrase
- Confirm passphrase
Use a strong passphrase you can remember (or store in a password manager).
Step 5 — Save as PPK
Click:
- Save private key
- Choose a name like
your-key.ppk
✅ Done. You can now use your-key.ppk in PuTTY.
Method 2 — Convert PEM to PPK using puttygen (Linux / macOS / WSL)
If you have puttygen available, you can convert via CLI.
Install puttygen
Ubuntu / Debian
sudo apt update
sudo apt install -y putty-tools
macOS (Homebrew)
brew install putty
Convert PEM → PPK
puttygen your-key.pem -o your-key.ppk
Add / change passphrase (recommended)
puttygen your-key.pem -o your-key.ppk -P
It will prompt you to set a passphrase.
How to use the PPK in PuTTY (Windows)
Step 1 — Open PuTTY
- Host Name:
ubuntu@YOUR_SERVER_IP(orec2-user@...for Amazon Linux) - Port:
22 - Connection type:
SSH
Step 2 — Attach your PPK
Go to:
- Connection → SSH → Auth → Credentials
- Click Browse... and select
your-key.ppk
Step 3 — Optional: save session
- Go back to Session
- Enter a name (e.g.,
My-EC2) - Click Save
Step 4 — Connect
Click Open and accept the server fingerprint if asked.
Troubleshooting
1) “Server refused our key” / “No supported authentication methods available”
Common causes:
- Wrong username (try
ubuntu,ec2-user,root,admin) - Wrong key for that server
- Server doesn’t have your public key in
~/.ssh/authorized_keys
2) “Unable to load key file (not a supported key format)”
Try:
- Re-open the
.pemin PuTTYgen and re-save as.ppk - If your key is in newer OpenSSH format, use a newer PuTTY/PuTTYgen
3) Permissions issue (OpenSSH on Linux)
If you use OpenSSH (ssh) with a PEM file:
chmod 600 your-key.pem
4) You only have a .crt or .cer file
Those are certificates, not SSH private keys. You need the actual private key (.pem) to create a .ppk.
Quick checks
- PEM is the private key file you got from your provider.
- PPK is just a PuTTY-friendly container for that same private key.
- Use a passphrase when exporting the PPK if possible.
Need help with infrastructure, deployment, or DevOps?
Managing SSH keys, server configuration, deployment pipelines, and cloud infrastructure can become complex fast—especially when systems scale.
MarqueFactory helps startups and growing businesses with:
- Production server setup and hardening
- Deployment automation and CI/CD pipelines
- Cloud infrastructure (AWS, Google Cloud, Azure)
- SSL/TLS, security, and monitoring
- Post-launch performance optimization
- Ongoing maintenance and DevOps support
Whether you're deploying a web app, mobile backend, or marketplace, reliable infrastructure is non-negotiable.
→ Schedule a DevOps consultation to discuss your deployment architecture and infrastructure needs.
Author
Marquefactory DevOps Team
