How to Convert PPK to PEM

PPK is PuTTY’s private key format, while PEM is commonly used by OpenSSH and many Linux or cloud server workflows. If you created your SSH key for PuTTY but now want to connect using terminal-based tools, automation, or another environment that expects PEM, you may need to convert the key.

This is a normal workflow when moving between Windows and Linux-based tooling.

The easiest way to convert PPK to PEM on Windows is with PuTTYgen. Open PuTTYgen, load the PPK file, and then export the private key in OpenSSH-compatible format. That exported private key can then be used as a PEM-style key in terminal workflows.

Be careful while exporting private keys. Anyone who gets access to the file can potentially access the server if the key is valid and authorized.

Once exported, you can reference the converted key in SSH commands or other tools that accept PEM or OpenSSH-style private keys. On Unix-like systems, you may also need to tighten permissions on the file before using it.

For example, OpenSSH often expects private key permissions that are limited to the current user.

Do not email the PEM file or leave it in shared folders. Private keys should be stored securely and only on systems that actually need them. If you believe the key has been exposed, replace the key pair and update the authorized public key on the server.

If you are converting keys just to move between tools, keep the files organized clearly so you know which environment uses which format.

PPK (PuTTY Private Key) is a format developed by the PuTTY project. It stores private key data in a way that PuTTY and its companion tools can read directly. The format includes metadata about the encryption type and a checksum that PuTTY validates when the key is loaded.

PEM (Privacy-Enhanced Mail) is a base64-encoded container format used by OpenSSH and most Linux-based SSH tools. When you see a file that begins with "-----BEGIN RSA PRIVATE KEY-----" or "-----BEGIN OPENSSH PRIVATE KEY-----", that is a PEM-style key file that most Unix environments handle natively.

Critically, converting between these formats does not create a new key or change what the server accepts. The underlying cryptographic key material is identical. Conversion only changes the encoding so that different SSH clients can read the same key. A server authorized for a specific public key will accept the private key regardless of whether it is stored as PPK or PEM, as long as the conversion was done correctly.

If you are on a Linux or macOS machine with a recent version of OpenSSH installed, you can convert a PPK file without PuTTYgen. Newer builds of ssh-keygen include support for reading PuTTY PPK version 2 and version 3 files and exporting them in OpenSSH format. This is useful when managing keys on a CI server or automating deployment workflows.

The command structure is straightforward: run ssh-keygen with the -p flag to change the key format and specify the input PPK file. Not all distributions ship with a version of OpenSSH recent enough to support this, so verify your version first with ssh -V. If PPK import is not supported, PuTTYgen on Windows remains the most reliable conversion path.

If you originally had a PEM file that was converted into the PPK, the simplest solution is to keep both formats. Store the PEM alongside the PPK in a clearly labeled folder so each tool knows which file to load. For long-term key management on servers accessed from both Windows and Linux environments, maintaining both files avoids repeated conversion.

After conversion, test the key against a non-critical server or test environment before relying on it in production. A simple SSH connection with the converted PEM file confirms that the key is valid, properly formatted, and matches the authorized public key on the server.

If authentication fails after conversion, the most likely cause is a key mismatch. Converting the private key does not change its cryptographic identity, but if you accidentally exported from the wrong PPK file, the private key will not match the public key registered on the server. You can verify the fingerprint of the local key file and compare it against what is in the server's authorized_keys file to rule this out quickly.

Permission errors are another common failure point on Linux. OpenSSH refuses to use a private key file if its permissions are too broad. After conversion, restrict the file so only the owner can read it. The standard approach is chmod 600 on the PEM file, which removes group and world read access that would otherwise cause OpenSSH to reject the key before attempting authentication.

If your starting point is a PEM file and you need the opposite conversion, use the PEM-to-PPK guide instead. If you are connecting to EC2 from Windows, the EC2 SSH article helps explain how the key file fits into the full connection flow, including usernames and security group rules.