What it is

An SSH private key authenticates you to remote servers and git hosts. The matching .pub file is public; the private key is the secret that must be protected.

Why it matters for AI context

If a private SSH key is checked into the working tree, an assistant can read it as context. A leaked key allows an attacker to authenticate as you until it is revoked.

How to keep it out of AI tools

  1. Keep SSH keys in ~/.ssh, never inside a project directory.
  2. Add id_rsa, id_ed25519, and *.ppk to .gitignore.
  3. Add the same names to your AI ignore file.
  4. Revoke and regenerate any key that was committed.
Add to your ignore file
id_rsa
id_ed25519
*.ppk
.ssh/

Ignore files that exclude this

FAQ

Is the .pub file sensitive too?
No, the public key is meant to be shared. Only the private key (no extension or .ppk) must be protected.

Check your own project

158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:

Run the same local check with Offsend CLI:

brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-run

Everything runs locally. No file contents are uploaded.