SSH & PGP Private Key Detection

Private SSH and PGP keys are the most dangerous type of hardcoded secret — they grant direct server access without any additional authentication. A single committed SSH key can provide root access to production infrastructure, and PGP keys can decrypt years of encrypted communications.

Verified by Precogs Threat Research

sshpgpprivate-keyscryptographicUpdated: 2026-03-22

SSH Key Exposure Risks

SSH private keys committed to repositories grant direct server access. Unlike passwords, SSH keys typically don't expire and aren't protected by rate limiting or MFA. A leaked key to a bastion host can pivot to the entire internal network. Keys are often shared across teams and environments, multiplying the blast radius.

Where Keys Hide

SSH/PGP keys are found in: id_rsa files committed to git, deploy keys in CI/CD configs, Dockerfiles copying keys for build-time SSH access (git clone from private repos), Ansible playbooks with embedded keys, Kubernetes secrets (base64-encoded), and backup archives accessible via web servers.

Precogs AI Key Detection

Precogs AI detects private keys by identifying PEM-encoded blocks (-----BEGIN RSA PRIVATE KEY-----), OpenSSH format keys, PuTTY PPK files, and PGP/GPG private key blocks across source code, git history, Docker images, and config files. We also detect references to key files in CI/CD configurations and Dockerfiles.

Attack Scenario: The Open Source Package Hijack (PGP Leak)

A lead maintainer of a widely-used open-source NPM package backs up their development virtual machine configurations to a public dotfiles repository on GitHub.

They inadvertently include their `~/.gnupg` directory containing their PGP private keys used for signing releases, assuming the passphrase will protect it.

An attacker clones the dotfiles repository and extracts the PGP private key.

The attacker uses a cluster of GPUs and Hashcat to brute-force the weak backup passphrase protecting the PGP key.

Once unlocked, the attacker pushes a malicious update to the NPM registry. They sign the malicious release with the stolen PGP key.

All client build verifying systems accept the malicious update because the cryptographic signature perfectly matches the trusted maintainer.

Real-World Code Examples

Exposed RSA Private Keys (CWE-256)

SSH and PGP private keys are the backbones of infrastructure administration and cryptographic signing. A leaked `id_rsa` or `id_ed25519` file allows an attacker to bypass all passwords and 2FA, directly opening an administrative terminal session on the target servers or impersonating the developer to sign malicious software commits.

VULNERABLE PATTERN

# VULNERABLE: SSH key embedded directly in CI/CD configuration
# Found in .github/workflows/deploy.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to production via SSH
        run: |
          mkdir -p ~/.ssh
          # The entire private key is exposed in the YAML!
          echo "-----BEGIN OPENSSH PRIVATE KEY-----
          b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
          # ... lines truncated ...
          -----END OPENSSH PRIVATE KEY-----" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          ssh deploy@192.168.1.100 'bash /opt/deploy.sh'

SECURE FIX

# SAFE: Utilizing GitHub Actions Secrets
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to production via SSH
        run: |
          mkdir -p ~/.ssh
          # The key is securely injected by the CI runner at execution time
          # It is never visible in the source code
          echo "${{ secrets.PROD_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          ssh deploy@192.168.1.100 'bash /opt/deploy.sh'

Detection & Prevention Checklist

✓Implement filesystem-level scanning preventing any file starting with `-----BEGIN OPENSSH PRIVATE KEY-----` or `-----BEGIN PGP PRIVATE KEY BLOCK-----` from being committed
✓Mandate the usage of SSH Certificates backed by an internal Certificate Authority (e.g., HashiCorp Vault, Teleport) with 4-hour expiration windows rather than raw public/private ssh keys
✓Require hardware security modules (YubiKey / SmartCards) for all highly privileged administrative SSH / PGP key operations
✓Scan `.gitignore` configurations specifically ensuring directories like `.ssh`, `.gnupg`, and `.aws` are globally excluded across all developer profiles
✓Rotate all infrastructure SSH keys immediately upon the offboarding of any administrative staff possessing access to the raw key material

🛡️

How Precogs AI Protects You

Precogs AI detects private SSH keys, PGP keys, and certificates across source code, git history, Docker images, Kubernetes secrets, and CI/CD pipelines — preventing the most dangerous type of credential exposure.

Start Free Scan

How do you detect SSH keys committed to Git?

Precogs AI detects PEM-encoded private keys, OpenSSH format keys, PuTTY PPK files, and PGP blocks across source code, git history, Docker images, and CI/CD configurations — preventing cryptographic key exposure.

Scan for SSH & PGP Private Key Detection Issues

Precogs AI automatically detects ssh & pgp private key detection vulnerabilities and generates AutoFix PRs.