Type in your GitHub or GitLab handle and click Check
- ✅ - Key is safe
- 🍄 - Fine, but not recommended
- ❌ - Key needs to be replaced
- ⏰ - Key expired
How does this work?
First, you must know that GitHub and GitLab publish your public SSH keys, which means all SSH keys you registered with them. This in itself is not an issue, and it’s useful if you want to send someone an encrypted message or add SSH keys to the authorized list on some device.
This website fetches those public keys and analyzes them. On GitHub that could be https://github.com/dz0ny.keys and on GitLab https://gitlab.com/dz0ny.keys. Then a small Golang application is run as WebAssembly in your browser. This way, even if you have an outdated key (we will talk about this below), I won’t know.
Bash alternative for this kind of check would be
ssh-keygen -l -f ~/.ssh/<public_key>.pub.
How can SSH keys be outdated? When I started programming 15 years ago, the default key size for an RSA key was 1024 bytes, and I had that key following me around for a long time. These days if you want to pass the CIS or SOC 2 compliance, you need stronger keys.
What are recommended key sizes
Recommended key sizes are as follows:
- For the RSA algorithm at least 2048, recommended 4096.
- The DSA algorithm should not be used.
- For the ECDSA algorithm, it should be 521.
- For the ED25519, the key size should be 256 or larger.
Sources NIST, SSH Academy.
Since when is GitHub publishing my keys?!?
This has been public knowledge for about a decade: changelog.com/posts/github-exposes-public-ssh-keys-for-its-users
Can it be used to cause harm? Yes, potentially. That is why you need to make sure your keys are using strong encryption by not having old keys laying around.
The GitHub docs have a great guide that you can follow. TLDR: the ED25519 should be used whenever possible.
Fork me on GitHub
Made with 💙 by folks at Pareto Security.