I published my private SSH key in a repository

Question

This may be the most stupid question in this forum. But I just created a private repository and somehow my public and private ssh key were written into files inside the local repo.

When I published my repo to bitbucket the files with both of my SSH Keys got published, too. So now they are openly accessable on my repo. And even when I delete them you find them in the log files. How can I safely return from that mistake?

Answer 1

Your private key is compromised. You must replace it everywhere you used it before, immediately.

1. Generate a new private and public key pair, right now.

2. Remove the public key from the list of allowed keys everywhere you used it. Replace it with the new public key.

3. Remove the old private key from the history of the repository. You can follow GitHub's guide.

4. Remove the old private key, you don't need it anymore.

You'll need to figure out how the key ended up in the repo. To avoid further mistakes, and your new key showing up again in that repo, I suggest to remove the repo from the internet while you investigate. You can easily push it back later when you're done.

Answer 2

There is no "return" - that private key is now compromised. Delete your private key from ~/.ssh, and generate yourself a new one (with ssh-keygen).¹

Yes, that will be a pain, because you'll have to re-register your public key with a bunch of stuff. But there's really no secure alternative.

---

_{1. And then figure out how you possibly ended up adding your key to a repo in the first place!}