My brain is wrapped around the axle on public and private keys. When you create a cloud server (instance) on Amazon's EC2 service and then want to connect to it via SSH, Amazon requires you to download private a key to make the connection. Doesn't the idea behind public/private key suggest that Amazon should be require you to download a public one?
Further, if I set up an SFTP server for a customer to use, should I be installing their key on the server or giving them a key from the server? In either case, should it be a public or private key?
Best Answer
Thinking more deeply about the authentication process, what needs to be kept secret? Amazon knows the public half of the key, and anybody can know the public half. The public half of the keypair, when matched with the private half, denotes that the private half was used to authenticate.
You private key that is provided to you when Amazon generates a keypair for you is only useful if you're the only one that has it. If it's not a secret, then anybody else who knows it can also authenticate to anybody who holds the public half of the keypair.
Whoever is being authenticated must hold the private half. It's ok if everybody in the world can authenticate you by holding the public half of the key, but only you should be in control of the private half.