SSH private keys
SSH private keys (id_rsa, id_ed25519) grant access to servers and git remotes. They should never live in a repo an AI tool can read.
What it is
An SSH private key authenticates you to remote servers and git hosts. The matching .pub file is public; the private key is the secret that must be protected.
Why it matters for AI context
If a private SSH key is checked into the working tree, an assistant can read it as context. A leaked key allows an attacker to authenticate as you until it is revoked.
How to keep it out of AI tools
- Keep SSH keys in ~/.ssh, never inside a project directory.
- Add id_rsa, id_ed25519, and *.ppk to .gitignore.
- Add the same names to your AI ignore file.
- Revoke and regenerate any key that was committed.
Add to your ignore file
id_rsa
id_ed25519
*.ppk
.ssh/Ignore files that exclude this
FAQ
- Is the .pub file sensitive too?
- No, the public key is meant to be shared. Only the private key (no extension or .ppk) must be protected.
Check your own project
158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:
Run the same local check with Offsend CLI:
brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-runEverything runs locally. No file contents are uploaded.