Private keys (.key)
Files ending in .key usually hold private cryptographic keys for TLS, signing, or authentication — material that should never reach an AI assistant.
This week: 20 repos in the scanned fleet exposed this category (73 matches).See Radar #4 →
What it is
A .key file typically contains a private key in PEM or DER form, used for TLS certificates, code signing, JWT signing, or SSH. Anyone with the key can impersonate the service or decrypt its traffic.
Why it matters for AI context
If a private key sits in the working tree, an AI tool can read its contents, include it in context windows, or surface fragments in generated code or logs. Private keys are among the highest-impact secrets to expose.
How to keep it out of AI tools
- Never commit private keys; store them in a secrets manager or environment-specific vault.
- Add *.key (and specific filenames) to .gitignore.
- Add the same patterns to your AI ignore file so assistants skip them.
- Rotate and reissue any key that has been committed or shared.
*.key
*.pem
secrets/Ignore files that exclude this
FAQ
- What is the risk of an AI tool reading a private key?
- The key can leak into prompts sent to a model provider or appear in generated output. A leaked private key generally must be rotated immediately.
Check your own project
158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:
Run the same local check with Offsend CLI:
brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-runEverything runs locally. No file contents are uploaded.