--- title: "Protect SSH Private Keys | Security Cookbook" description: "Lock SSH private keys to ssh, git, and signed system processes while keeping public keys and config readable, stopping infostealers from credential theft." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/protect-ssh-keys" --- [Back](https://northpole.security/cookbook) ### Idea SSH private keys are among the most valuable credentials on a developer's machine. They provide passwordless access to production servers, Git repositories, cloud infrastructure, and internal systems. For an attacker, stealing an SSH private key is like finding a master key to your entire castle. It's no wonder that infostealers like Atomic Stealer (AMOS), Banshee Stealer, and Cthulhu Stealer specifically target ~/.ssh/ directories because they know the value of what's inside. But with Workshop and Santa's file access rules, you can lock down SSH keys so that only the processes that legitimately need them can access them. In Santa's FAA rules, the rule matching the most specific path is applied. To make sure that you can still access public keys and configs, we can create a more specific rule by using FAA's longest prefix matching, allowing read access only to those files that should be accessible. ### Solutions File AccessProtect SSH Private Keys Block access to all files in .ssh directory Path Prefixes - • /Users/\*/.ssh/ Options Allow Read Access:false Audit Only:false Rule Type:PathsWithAllowedProcesses Processes - • Signing ID:platform:com.apple.ssh - • Signing ID:platform:com.apple.ssh-agent - • Signing ID:platform:com.apple.ssh-add - • Signing ID:platform:com.apple.ssh-keygen - • Signing ID:platform:com.apple.git - • Signing ID:platform:com.apple.security - • Signing ID:platform:com.apple.mdworker\_shared - • Signing ID:platform:com.apple.XProtectFramework.plugins.\* Custom Message Access to SSH private keys is restricted to authorized applications only. If you need access, contact your security team. File AccessAllow Public Keys and Config Use longest prefix matching to allow read-only access to public keys Path Prefixes - • /Users/\*/.ssh/\*.pub - • /Users/\*/.ssh/config - • /Users/\*/.ssh/known\_hosts - • /Users/\*/.ssh/authorized\_keys Options Allow Read Access:true Audit Only:false Rule Type:PathsWithAllowedProcesses Processes - • Signing ID:platform:com.apple.ssh - • Signing ID:platform:com.apple.ssh-agent - • Signing ID:platform:com.apple.ssh-add - • Signing ID:platform:com.apple.ssh-keygen - • Signing ID:platform:com.apple.git - • Signing ID:platform:com.apple.security - • Signing ID:platform:com.apple.mdworker\_shared - • Signing ID:platform:com.apple.XProtectFramework.plugins.\* Custom Message Public SSH files accessed ### Mitre Attack Tactics [Credential Access](https://attack.mitre.org/tactics/TA0006/) Techniques [T1552.004: Private Keys](https://attack.mitre.org/techniques/T1552/004/) ### Tags ssh-keyscredentialsinfostealer ### Deployment Notes This uses two rules with longest prefix matching. The first rule blocks all access to ~/.ssh/ except for SSH and Git processes. The second rule allows broader read access to public keys and configuration files using more specific paths. Santa applies the most specific matching rule, so the .pub files rule takes precedence over the general .ssh/ rule for those files. ### False Positive Guidance SSH and Git are the primary users of SSH keys. If you use other development tools that need SSH keys (like CI/CD tools, deployment scripts), add their signing IDs to the allowlist. ### Resources [MITRE ATT&CK - Private KeysTake a look](https://attack.mitre.org/techniques/T1552/004/) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)