Are your keys exposed in public Google searches?

A researcher has revealed this week how easy it can be to find the private keys that are supposedly securing organisations’ sensitive data. No clever hacks or tricks of the trade are necessary, just a simple Google search.

After he claimed that a web search on ‘BEGIN PGP PRIVATE KEY BLOCK’ gave 29,500 hits, I decided to test this out myself (with a few tweaks) and the number of keys out there is indeed staggering. It’s not clear how many of them are real or provide access to valuable information, but presumably some proportion of them do. And that’s worrying.

Many are probably thinking this problem doesn’t apply to them. Maybe they have passwords somewhere. Maybe they’ve checked their public folders and moved the keys.

However, what the above Google searching demonstrates is just how vulnerable keys are when they are not stored in hardware. These ones happened to be found by a web spider. But the same applies to keys inside an organisation once a Trojan or virus gets in and runs a spider of its own.

So, how protected are your keys? Try searching ‘BEGIN PGP PRIVATE KEY filetype:asc’. If you get any hits, it might be time to revisit your key management procedures…

Jon Geater has more than 10 years’ technical experience as a software architect and chief architect in the information security industry and has helped define many real-world security products and systems. As Director of Technical Strategy at Thales, Jon is a technical evangelist for the information technology security activities for Thales. Jon represents Thales at academic conferences and standards bodies, and is a co-founder of the OASIS KMIP key management group. Jon holds a BSc Hons in Computer Science.