Deployment
PPK vs PEM: Complete Guide to SSH Key Formats, Differences and Conversion
PPK (PuTTY Private Key) and PEM (OpenSSH) are both SSH private key formats, but they work with completely different tools. This guide explains the exact differences, which format to use on Windows, Linux and macOS, how to convert between them with PuTTYgen and the command line, and how to fix every common error.
PPK vs PEM: One-Paragraph Answer
PEM (.pem) is the standard OpenSSH private key format. It is what AWS, DigitalOcean, Google Cloud and every major cloud provider give you when you create a key pair. PEM works natively on Linux, macOS, Windows OpenSSH, Git, and all CI/CD tools. PPK (.ppk) stands for PuTTY Private Key and is a proprietary format used exclusively by PuTTY and its companion tools on Windows. PuTTY cannot read PEM files directly, so you must convert PEM to PPK using PuTTYgen before connecting. Both formats contain the same underlying private key — conversion only changes the file encoding, not the key itself.
Rule of thumb: keep the PEM file as your master key. Only convert to PPK when you specifically need to use PuTTY on Windows. If you use the built-in ssh command in PowerShell or Windows Terminal, or Git Bash on Windows, you do not need PPK at all — PEM works directly.
- PEM: Linux, macOS, Windows OpenSSH, Git, GitHub Actions, AWS CLI, all cloud CLIs
- PPK: PuTTY terminal, WinSCP, Pageant SSH agent, plink — Windows only
- Converting between formats does not change the cryptographic key
- Always keep the original PEM file — you can regenerate PPK from it any time
PPK vs PEM: Side-by-Side Comparison
The table below covers every tool and platform so you can find your exact situation at a glance:
- Full name — PEM: Privacy Enhanced Mail | PPK: PuTTY Private Key
- File extension — PEM: .pem or .key | PPK: .ppk
- Format — PEM: Base64 text with BEGIN/END header | PPK: PuTTY proprietary text structure
- Linux ssh command — PEM: Yes (native) | PPK: No
- macOS ssh command — PEM: Yes (native) | PPK: No
- Windows OpenSSH / PowerShell ssh — PEM: Yes | PPK: No
- Windows Git Bash — PEM: Yes | PPK: No
- VS Code Remote SSH — PEM: Yes | PPK: No (use PEM or ssh config)
- PuTTY terminal — PEM: No (must convert) | PPK: Yes
- WinSCP — PEM: No (must convert) | PPK: Yes
- Pageant SSH agent — PEM: No | PPK: Yes
- plink command line — PEM: No | PPK: Yes
- AWS EC2 console download — PEM: Yes (default) | PPK: No (convert after downloading)
- GitHub / GitLab SSH auth — PEM: Yes | PPK: No
- GitHub Actions CI/CD — PEM: Yes | PPK: No
- Conversion tool — PEM to PPK: PuTTYgen (Windows) or puttygen (Linux/macOS) | PPK to PEM: same tools
What Is a PEM File?
PEM stands for Privacy Enhanced Mail. The name is historical — PEM files have nothing to do with email. In practice a PEM file is a Base64-encoded text container used to store SSH private keys, public keys, and SSL/TLS certificates. You can open a PEM file in any text editor and see the Base64 content between the header and footer lines.
PEM is the native format of OpenSSH, which is used by Linux, macOS, Windows 10 and 11 (via the built-in OpenSSH feature), Git, GitHub, and every modern cloud CLI. When you create a key pair in the AWS EC2 console and click Download, the file you receive is a .pem file. The same format is used by DigitalOcean, Google Cloud, Azure, and Linode.
On Linux and macOS you use PEM keys directly. Set permissions first, then connect: chmod 400 my-key.pem and then ssh -i my-key.pem ubuntu@server-ip. On Windows with built-in OpenSSH, the same command works in PowerShell: ssh -i .my-key.pem ubuntu@server-ip. No conversion needed.
- Header example: -----BEGIN OPENSSH PRIVATE KEY----- (new format) or -----BEGIN RSA PRIVATE KEY----- (old format)
- Generated by: ssh-keygen (Linux/macOS/Windows), AWS EC2 console, cloud provider dashboards
- Permissions required on Linux/macOS: chmod 400 my-key.pem (owner read-only)
- Works with: ssh, scp, rsync, git clone, GitHub Actions, Terraform, Ansible, AWS CLI
What Is a PPK File? (PPK Full Form)
PPK stands for PuTTY Private Key. PPK is a proprietary format created by the PuTTY project to store SSH private keys on Windows. The PPK full form in AWS documentation and tutorials always means PuTTY Private Key. AWS guides for Windows users specifically mention converting the downloaded .pem file to .ppk format because AWS only provides PEM keys and PuTTY cannot read them directly.
PuTTY is the most widely used third-party SSH terminal on Windows. Before Microsoft added OpenSSH to Windows 10 in 2018, PuTTY was the primary way to SSH from Windows at all. Because PuTTY predates modern OpenSSH conventions, it uses its own key format. The PuTTYgen tool (included with every PuTTY download) handles creating and converting PPK files.
PPK files only work within the PuTTY ecosystem: PuTTY (the terminal emulator), WinSCP (the graphical file transfer client), Pageant (the SSH agent that holds keys in memory so you do not retype the passphrase), and plink (the command-line PuTTY used in scripts). No other SSH tool recognises PPK format.
- PPK full form: PuTTY Private Key
- File header: PuTTY-User-Key-File-3: (or -2: for older versions)
- Only works with: PuTTY, WinSCP, Pageant, plink
- Conversion tool: PuTTYgen (Windows GUI) or puttygen (Linux/macOS command line)
PEM or PPK: Which Format to Use on Windows, Linux and macOS?
On Linux or macOS: always PEM. Every SSH tool on Linux and macOS reads PEM natively. There is no reason to use PPK on these platforms.
On Windows with PuTTY: you need PPK. Convert the PEM to PPK once using PuTTYgen. Keep both files. Use PPK in PuTTY and WinSCP, and PEM for everything else.
On Windows with built-in OpenSSH: PEM. Windows 10 (version 1809 and later) and Windows 11 include OpenSSH. Open PowerShell and run ssh -i .my-key.pem ubuntu@server-ip. If the ssh command is not found, go to Settings, Apps, Optional features, Add a feature, and install OpenSSH Client. No PPK needed.
On Windows with Git Bash: PEM. Git for Windows ships with OpenSSH. PEM keys work in Git Bash exactly like on Linux.
On Windows with VS Code Remote SSH: PEM. Configure the key path in ~/.ssh/config and VS Code connects using OpenSSH.
- Linux / macOS: PEM always — chmod 400 key.pem then ssh -i key.pem user@host
- Windows + PuTTY: PPK — convert from PEM with PuTTYgen before first connection
- Windows + PowerShell OpenSSH: PEM — ssh -i .key.pem user@host
- Windows + Git Bash: PEM — same as Linux syntax
- Windows + VS Code Remote SSH: PEM — add IdentityFile path to SSH config
AWS EC2: PEM vs PPK Workflow
AWS EC2 always generates key pairs in PEM format. When you launch an instance and create a new key pair, the file you download is a .pem file named something like my-ec2-key.pem. AWS documentation covers two connection paths depending on your OS and SSH client.
If you are on Linux or macOS, or using Windows with PowerShell or Git Bash, use the PEM file directly. If you are on Windows and use PuTTY, you must convert the PEM to PPK first using PuTTYgen. AWS provides step-by-step instructions for this conversion in the EC2 documentation under Connecting to your Linux instance using PuTTY.
A practical recommendation for AWS users: download the PEM file, store it securely, and convert to PPK only if you use PuTTY. If you install Windows OpenSSH or Git Bash, you can use the PEM file directly on Windows and skip the conversion entirely.
# On Linux / macOS — connect to EC2 directly with PEM
chmod 400 my-ec2-key.pem
ssh -i my-ec2-key.pem ec2-user@your-instance-public-ip
# For Ubuntu AMIs use ubuntu@ instead of ec2-user
ssh -i my-ec2-key.pem ubuntu@your-instance-public-ip
# On Windows PowerShell (OpenSSH built-in)
ssh -i .my-ec2-key.pem ec2-user@your-instance-public-ipHow to Convert PEM to PPK Using PuTTYgen (Windows GUI)
Step 1: Download PuTTY from putty.org and run the installer. PuTTYgen is included — no separate download needed. After installation, find PuTTY Key Generator in the Start menu or search for puttygen.
Step 2: Open PuTTYgen. You will see a window with a key type selector (RSA is default) and a Generate button. Do not click Generate — you are loading an existing key, not creating a new one.
Step 3: Click Load. In the file dialog, change the file type filter from PuTTY Private Key Files (*.ppk) to All Files (*.*). This is the step people most often miss. Without changing the filter your .pem file will not appear in the list.
Step 4: Navigate to your .pem file and click Open. PuTTYgen imports the key and shows the fingerprint. If the key is passphrase-protected, enter the passphrase when prompted.
Step 5: Click Save private key. When PuTTYgen asks whether you want to save without a passphrase, click Yes if your key has no passphrase, or add one now for extra security. Save the file with a .ppk extension. The file is ready to use in PuTTY and WinSCP.
How to Convert PEM to PPK and PPK to PEM on the Command Line
On Linux, install putty-tools to get the command-line puttygen. On macOS, install putty via Homebrew. The conversions are single commands:
# Install puttygen on Linux
sudo apt install putty-tools # Debian / Ubuntu
sudo yum install putty # Amazon Linux / CentOS
brew install putty # macOS
# Convert PEM to PPK
puttygen my-key.pem -o my-key.ppk
# Convert PEM to PPK (explicit output type)
puttygen my-key.pem -O private -o my-key.ppk
# Convert PPK back to PEM (OpenSSH format)
puttygen my-key.ppk -O private-openssh -o my-key.pem
# Set correct permissions after converting to PEM
chmod 400 my-key.pem
# Verify the converted PEM key works
ssh -i my-key.pem ubuntu@your-server-ipUsing Your PPK File with PuTTY and plink
To use a PPK file in PuTTY: open PuTTY, enter the server IP in Host Name, set Port to 22, then in the left panel go to Connection, then SSH, then Auth, then Credentials. In the Private key file for authentication field, click Browse and select your .ppk file. Back in Session, type a name in Saved Sessions and click Save so you do not need to reconfigure this every time.
plink is the command-line version of PuTTY for Windows automation and deployment scripts. It reads PPK files with the -i flag:
# Connect with plink (interactive session)
plink -ssh ubuntu@your-server-ip -i my-key.ppk
# Run a single remote command with plink (-batch skips host-key prompts)
plink -ssh ubuntu@your-server-ip -i my-key.ppk -batch "uptime"
# Accept the server host key on first connection
plink -ssh ubuntu@your-server-ip -i my-key.ppk -hostkey "ssh-ed25519 255 AA..."Common Errors and How to Fix Them
WARNING: UNPROTECTED PRIVATE KEY FILE or bad permissions: the PEM file is readable by other users. Run chmod 400 my-key.pem on Linux or macOS to restrict it to owner-read-only. On Windows with OpenSSH, right-click the file, open Properties, go to Security, click Advanced, disable inheritance, remove all entries except your own account, and grant Read permission only.
Unable to load key file in PuTTY: you are loading a .pem file directly into PuTTY. PuTTY cannot read PEM format. Convert it to PPK using PuTTYgen first, then load the .ppk file in PuTTY under Connection, SSH, Auth.
PuTTYgen: not a recognised key file: the PEM file has Windows CRLF line endings. Open a Linux terminal and run dos2unix my-key.pem to convert line endings, then retry the import in PuTTYgen.
Invalid private key or No supported authentication methods: the PPK file header starts with PuTTY-User-Key-File but the tool expects a PEM file. Convert back to PEM using puttygen -O private-openssh or PuTTYgen Conversions menu.
Permission denied (publickey): the key file is readable but the server does not accept it. The public key must be in ~/.ssh/authorized_keys on the server. Check that you are using the correct username (ubuntu for Ubuntu, ec2-user for Amazon Linux) and that the public key fingerprint matches.
- Bad permissions on Linux: chmod 400 key.pem
- PuTTY cannot load .pem: convert to .ppk with PuTTYgen first
- CRLF line endings: run dos2unix key.pem before converting
- Permission denied (publickey): check authorized_keys on the server and correct username
How to Securely Store and Manage PPK and PEM Files
A private key file grants SSH access to every server that has the matching public key. Treat it with the same care as a password. Never commit PEM or PPK files to a git repository, upload them to public cloud storage, or share them in Slack or email.
Add *.pem and *.ppk to your global git ignore file immediately: echo "*.pem" >> ~/.gitignore_global and git config --global core.excludesfile ~/.gitignore_global. For CI/CD pipelines, store the key content in an environment variable or secret manager (GitHub Actions Secrets, AWS Secrets Manager, HashiCorp Vault) rather than as a file.
Always add a passphrase when generating or saving a PPK file. Use Pageant (the PuTTY SSH agent) to enter the passphrase once per Windows session — Pageant holds the decrypted key in memory so you do not retype it for every PuTTY or WinSCP connection. On Linux and macOS, ssh-agent serves the same role for PEM keys.
- Add *.pem and *.ppk to .gitignore immediately — never commit private keys
- Store in a password manager (1Password, Bitwarden) as a secure file attachment
- For CI/CD: use GitHub Secrets or AWS Secrets Manager, not files in the repo
- Add a passphrase to the key for encryption at rest
- Use Pageant (Windows) or ssh-agent (Linux/macOS) to avoid retyping passphrases
FAQ
What is the difference between PPK and PEM files?
PEM (.pem) is the standard OpenSSH private key format used by Linux, macOS, Windows built-in SSH, Git, and all cloud providers. PPK (.ppk) is PuTTY Private Key format, a proprietary format used only by PuTTY and related Windows tools (WinSCP, Pageant, plink). Both contain the same underlying cryptographic key. The difference is only the file encoding and which tools can read it. Convert PEM to PPK with PuTTYgen when you specifically need to use PuTTY on Windows.
What does PPK stand for in AWS?
PPK stands for PuTTY Private Key. AWS generates and provides key pairs in PEM format (.pem). In the AWS EC2 connection documentation, PPK is mentioned specifically for Windows users who connect using PuTTY. Because PuTTY cannot read PEM files, AWS instructs those users to convert the downloaded .pem file to .ppk format using PuTTYgen before configuring PuTTY to connect. If you use Windows OpenSSH or Git Bash instead of PuTTY, you can use the PEM file directly.
Can PuTTY use a PEM file directly?
No. PuTTY requires PPK format for SSH key authentication. It cannot load a .pem file in the Auth configuration. You must first open PuTTYgen, click Load, change the file filter to All Files, select the .pem file, then click Save private key to create the .ppk file. Only then can you load the .ppk in PuTTY under Connection, SSH, Auth, Credentials.
Does converting between PEM and PPK change the SSH key?
No. The underlying RSA or ED25519 private key is identical in both formats. Converting only changes the file encoding and structure. The public key fingerprint stays exactly the same. The server does not need to be reconfigured — the same public key already in authorized_keys works whether you connect with a PEM-based OpenSSH client or a PPK-based PuTTY client.
Which format should I use on Windows?
It depends on your SSH client. PuTTY: use PPK (convert from PEM with PuTTYgen). Windows built-in OpenSSH (ssh command in PowerShell): use PEM. Git Bash: use PEM. VS Code Remote SSH: use PEM. The clearest approach is to always start with PEM (which is what AWS and all cloud providers give you) and only convert to PPK if PuTTY is your SSH client. You can always regenerate the PPK from the PEM — never throw away the original PEM file.
Is the difference between .pem and .ppk just the file extension?
No. The file extension reflects a genuine internal format difference. A .pem file starts with -----BEGIN OPENSSH PRIVATE KEY----- and contains Base64-encoded OpenSSH key data. A .ppk file starts with PuTTY-User-Key-File-3: and has a completely different internal structure. Renaming a .pem file to .ppk (or vice versa) will not make it work — tools check the internal format, not the extension.
What is a PEM key and what does the header line mean?
A PEM key is a private key stored as Base64-encoded text. The header line identifies the key type. -----BEGIN RSA PRIVATE KEY----- is an older PKCS#1 RSA key. -----BEGIN OPENSSH PRIVATE KEY----- is the modern OpenSSH format used for ED25519, ECDSA and newer RSA keys. -----BEGIN EC PRIVATE KEY----- is an Elliptic Curve key in PKCS#8 format. All three are PEM format and work identically with the ssh -i command. The modern BEGIN OPENSSH PRIVATE KEY format is the default output of ssh-keygen since OpenSSH 7.8.
How do I fix bad permissions on a PEM file?
On Linux or macOS run chmod 400 my-key.pem in the terminal. This makes the file readable only by the owner, which SSH requires. If you see WARNING: UNPROTECTED PRIVATE KEY FILE or Permissions 0644 are too open, this is the fix. On Windows with OpenSSH, right-click the .pem file, go to Properties, Security, Advanced, click Disable inheritance, remove all inherited permissions, then add your own user account with Read permission only.
How do I convert an OpenSSH key to PuTTY format on the command line?
Install puttygen: sudo apt install putty-tools on Ubuntu/Debian, brew install putty on macOS. Then run puttygen my-key.pem -o my-key.ppk to convert PEM to PPK. To go the other direction: puttygen my-key.ppk -O private-openssh -o my-key.pem followed by chmod 400 my-key.pem. Both commands run without a GUI and work in automation scripts.
Can I use the same key pair for both PuTTY and OpenSSH?
Yes. Start with the PEM file (your master key). Convert a copy to PPK for PuTTY using PuTTYgen. Both the PEM and the PPK derive from the same underlying key — the same public key entry in authorized_keys on the server authenticates connections from both PuTTY with the PPK and OpenSSH with the PEM. You never need two separate key pairs just because you use two different SSH clients.
Related free tools
If you want to turn this topic into action, use one of ShortIQ's free tools for campaign planning, UTM structure, or QR distribution.
Continue Reading
Explore more guides on link shortener SaaS strategy, Bitly alternatives, and white label link management.
Free newsletter
Get new guides in your inbox
We publish practical guides on dev tooling, prompt engineering, marketing workflows, and deployment. No fluff — straight to the point.
No spam. Unsubscribe any time.
Was this article helpful?
Tell us if this guide solved the problem or what was still missing. We use this to improve the blog and only follow up if you explicitly allow it.