badkeys

Public Private Keys

For various reasons some "private keys" are public.

Example private keys are part of standards, software test suites and public documentation. Sometimes such example keys are used in production due to a lack of understanding how public key cryptography works.

Firmware often comes with hardcoded default keys. In the past security researchers have published collections of such hardcoded keys, e.g. the littleblackbox and the House of Keys.

No matter why a private key is public, it is obvious that a "public private key" should be considered as insecure and compromised.

The Kompromat repository collects "private keys that have become public". We use this collection among other sources as the basis of our blocklist.

The blocklist is created with the blocklistmaker script. You can find references to the used collections of private keys there.

You can suggest known-compromised private heys for badkeys' blocklist here.

Example CVEs detected by badkeys:

• CVE-2025-32754 (jenkins/ssh-agent Docker image hardcoded ssh host keys)
• CVE-2025-32755 (jenkins/ssh-slave Docker image hardcoded ssh host keys)
• CVE-2016-10125 (DLink DGS-1100 switch static hard-coded TLS crypto keys)