SSH Private Key Detector
The ssh-private-key detector identifies SSH private keys and determines whether they are password-protected (encrypted).
The detector matches PEM-formatted private keys:
-----BEGIN [TYPE] PRIVATE KEY-----
[base64 content]
-----END [TYPE] PRIVATE KEY-----
| Key Type | Finding ID |
|---|---|
| RSA | ssh-private-key-rsa |
| DSA | ssh-private-key-dsa |
| EC (ECDSA) | ssh-private-key-ec |
| OpenSSH | ssh-private-key-openssh |
| PKCS#8 | ssh-private-key-pkcs8 |
| Encrypted | ssh-private-key-encrypted |
| Key State | Severity | Rationale |
|---|---|---|
| Unencrypted | Critical | Anyone with file access can use the key |
| Encrypted | Low | Key is password-protected |
The detector checks for encryption indicators:
-----BEGIN ENCRYPTED PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDheaderDEK-Info:header with cipher info
Checks for base64-encoded cipher names:
YWVzMTI4LWN0cg(aes128-ctr)YWVzMjU2LWNiYw(aes256-cbc)YmNyeXB0(bcrypt KDF)
If bm9uZQ (none) is found, the key is unencrypted.
{
"id": "ssh-private-key-rsa",
"probe": "ssh",
"severity": "critical",
"title": "Unencrypted SSH Private Key Detected (RSA)",
"message": "An unencrypted RSA SSH private key was detected in file:/Users/dev/.ssh/id_rsa. This key is NOT password-protected...",
"path": "file:/Users/dev/.ssh/id_rsa",
"metadata": {
"key_type": "RSA",
"is_encrypted": false,
"fingerprint": "sha256:..."
}
}
{
"id": "ssh-private-key-rsa",
"probe": "ssh",
"severity": "low",
"title": "Encrypted SSH Private Key Detected (RSA)",
"message": "An encrypted RSA SSH private key was detected in file:/Users/dev/.ssh/id_rsa. The key is password-protected...",
"path": "file:/Users/dev/.ssh/id_rsa",
"metadata": {
"key_type": "RSA",
"is_encrypted": true,
"fingerprint": "sha256:..."
}
}
An unencrypted SSH private key can be used immediately by anyone who obtains the file:
- Physical access - Someone with access to your machine
- Malware - Info stealers specifically target SSH keys
- Backup exposure - Keys in unencrypted backups
- Accidental commits - Keys committed to git repositories
# Add or change passphrase
ssh-keygen -p -f ~/.ssh/id_rsa
# You'll be prompted for:
# 1. Current passphrase (empty if none)
# 2. New passphrase
# 3. Confirm new passphrase
# Ed25519 (recommended)
ssh-keygen -t ed25519 -C "your_email@example.com"
# RSA (if Ed25519 not supported)
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
You’ll be prompted for a passphrase during generation.
To avoid typing your passphrase repeatedly:
# Start ssh-agent
eval $(ssh-agent)
# Add key (prompts for passphrase once)
ssh-add ~/.ssh/id_ed25519
# With timeout (1 hour)
ssh-add -t 3600 ~/.ssh/id_ed25519
macOS Keychain Integration:
# Add to Keychain
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
# Configure to use Keychain automatically
# In ~/.ssh/config:
Host *
UseKeychain yes
AddKeysToAgent yes
Always use passphrases - Protects keys at rest
Use Ed25519 - More secure and faster than RSA:
ssh-keygen -t ed25519Set appropriate permissions:
chmod 600 ~/.ssh/id_* chmod 700 ~/.sshUse separate keys for different purposes:
- Personal GitHub
- Work servers
- Production access
Rotate keys periodically - Replace old keys, especially if they may have been exposed
Use SSH certificates for large-scale environments
- SSH Probe - Checks SSH configuration and key security