PPK vs PEM: What Is the Difference and When to Use Each

PEM stands for Privacy Enhanced Mail, though the name is mostly historical. In practice, a PEM file is a Base64-encoded container format used to store cryptographic objects including private keys, public keys, and certificates. The file starts with a header like -----BEGIN RSA PRIVATE KEY----- or -----BEGIN OPENSSH PRIVATE KEY----- and ends with a matching footer.

PEM is the default format for OpenSSH, which is what most Linux servers, macOS terminal sessions, Git, and CI/CD tools use. AWS, DigitalOcean, and most cloud providers generate and accept PEM keys. When you download a key pair from the AWS EC2 console, the file you get is a .pem file.

On Linux and macOS, you use PEM keys directly with the ssh command: ssh -i my-key.pem ubuntu@server-ip. No conversion is needed. PEM is the native format for the open-source SSH ecosystem.

PPK stands for PuTTY Private Key. It is a proprietary format created by the PuTTY project for storing SSH private keys on Windows. The file uses a different encoding and structure than PEM and is not directly interchangeable.

PuTTY is the most widely used SSH client on Windows. When you connect to a Linux server from Windows using PuTTY, you need your private key in PPK format. PuTTY cannot read PEM files directly. You must convert the PEM file to PPK using PuTTYgen, which is the companion key management tool that ships with PuTTY.

PPK files are only needed in the PuTTY ecosystem: PuTTY itself, WinSCP (which uses PuTTY for SSH), Pageant (the PuTTY authentication agent), and a few older Windows SSH tools. Outside of that ecosystem, PPK format is not standard and not supported by other tools.

The core difference is the tool ecosystem each format belongs to. PEM is the standard used by OpenSSH and nearly every modern SSH tool. PPK is a Windows-specific format used only by the PuTTY suite.

Security-wise, both formats store the same underlying private key data. A PPK file converted from a PEM file contains the same cryptographic key. The format determines which tools can read it, not the security level.

PEM is the right default for most workflows. Only convert to PPK when you specifically need to use PuTTY on Windows. Keeping the PEM file as your source of truth means you can always regenerate the PPK when needed.

You need PuTTYgen installed. It comes bundled with PuTTY when you download it from putty.org. Open PuTTYgen, click Load, and change the file filter from PuTTY Private Key Files to All Files so your .pem file appears in the dialog.

Select your .pem file. PuTTYgen imports it and shows the key fingerprint. If the key is passphrase-protected, enter the passphrase when prompted. Once loaded, click Save private key. The saved file is a .ppk file ready to use in PuTTY, WinSCP, or Pageant.

On Linux, the putty-tools package includes a command-line puttygen that converts keys without the GUI. This is useful in scripts or when working on a headless server.

If you have a PPK file and need to use it with OpenSSH, you need to convert it back to PEM. Open PuTTYgen, click Load and select your .ppk file. Once loaded, go to Conversions and then Export OpenSSH key. Save the file with a .pem extension.

On Linux, puttygen handles this from the command line. After converting, set the correct file permissions with chmod 400 before using the key with ssh.

"Error loading key: bad permissions" is not a format error. It means the PEM file permissions are too open. SSH refuses to use a private key that other users can read. Run chmod 400 my-key.pem to fix it.

"Unable to load key file" in PuTTY usually means you are trying to load a PEM file directly without converting it first. PuTTY expects a .ppk file. Use PuTTYgen to convert, then load the .ppk in PuTTY.

"Invalid format" when converting often means the PEM file was created or edited on Windows and has CRLF line endings instead of LF. Run dos2unix my-key.pem on Linux to fix the line endings before converting.