Choose your language

Choose your login

Contact us


[SOLVED] Google IAP Desktop error: “Connecting to VM instance failed” - CryptographicException: Object already exists

Product manager Jason Clarke (12-year veteran at PaperCut) here. I was recently tearing what’s left of my hair out while trying to access a Linux VM in a Google Cloud Compute environment.

The last time I needed access to this VM I simply opened IAP Desktop, double-clicked on the VM, and was presented with a terminal session in short order.

Not so today, reader, not so today.

I was stymied by this less-than-helpful error message:

Alt-Text: An error occurred Connecting to a VM instance failed Failed to create or access cryptographic key. If the error persists, try using an algorithm other than RSA. CryptographicException: Object already exists

Googling this Google error message was not fruitful.

It was not until an eagle-eyed coworker pasted a snippet of IAP Desktop’s code:

  catch (CryptographicException e) when (e.HResult == NTE_EXISTS)
                        // This should not happen because of the previous Exists()
                        // check, but:
                        //  - There might be a race condition (rare)
                        //  - The specific algorithm might be disabled on the machine
                        //    (also rare).
                        throw new CryptographicException(
                            "Failed to create or access cryptographic key. If the error " +
                            $"persists, try using an algorithm other than {algorithm}.", e);

And there it is, the algorithm might be disabled on the machine.

It is supposedly rare.

Well, RSA is kind-of a weak algorithm (please no culture wars, keep it to vi vs vm vs emacs please). It indeed has been disabled.

Poking around in IAP Desktop under Tools -> Options -> SSH there is a nice little drop-down that allows you to change from RSA (3072 bit) to multiple strength ECDSA NIST P-xxx keys.

IAP Desktop screenshot showing Options -> Tools -> SSH allowing the changing of Key type from RSA to ECDSA.

I selected a new Key type, clicked OK, and was on my way again.

I thought some of our readers might come across this one.

I’m also going to remind some of my developer friends about writing error messages that enable people (users, okay, USERS) to self-solve problems.

Read more tech & dev tips from PaperCut:


Subscribe for the latest in print management and product updates!

By filling out and submitting this form, you agree that you have read our Privacy Policy, and agree to PaperCut handling your data in accordance with its terms.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.