Share SSH Private Key

Paste your private SSH keys securely. Zero-knowledge encryption ensures we cannot see your keys.

Why secure share ssh private key matters

An SSH private key is not just a credential — it is an identity. Whoever holds the file becomes you on every server that trusts your authorized_keys entry. A leaked private key with no passphrase grants instant, persistent shell access; one with a passphrase grants the same access after a few hours of GPU-accelerated brute force on consumer hardware.

Modern keys come in several formats — RSA-2048 (legacy, still common), RSA-4096, ECDSA, and ed25519 — and each has its own header (-----BEGIN OPENSSH PRIVATE KEY-----, -----BEGIN RSA PRIVATE KEY-----). All of them are equally dangerous to mishandle. The format mostly affects the brute-force resistance of the passphrase, not the consequence of an unencrypted leak.

PasteOnce is well-suited to the narrow case where a private key genuinely has to move between machines — usually when you are provisioning your own access onto a fresh device, restoring after lost credentials, or briefly granting a contractor access to a single bastion host. For all other cases (especially adding access for someone else), share their public key, never your private one.

What goes wrong when share ssh private key is shared insecurely

Lateral movement to every host. An SSH key for a bastion or jump host typically grants access to dozens of internal machines. Once an attacker has the key, the bastion's purpose is inverted — it becomes the highway in rather than the chokepoint out.
Persistence in CI build logs. Pasting a key into a CI configuration field, environment variable dump, or build-output 'echo' command commits the key permanently to your build history, often readable to every developer in the org and to anyone who later buys leaked CI archives.
ssh-agent forwarding leaks. Once you SSH into a compromised server with agent forwarding enabled, that server can use your local key to authenticate to other servers — even ones you did not intend to share access to.
Backups and unencrypted rsync. A private key copied with rsync over an unencrypted channel, or backed up to cloud storage without at-rest encryption, becomes a recoverable artifact for anyone with backup access.

Share SSH Private Key

Client-side encrypted. We can't see your data.

Press Ctrl/⌘ + Enter to send0 characters

Expires in:

End-to-End Encrypted

Your data is encrypted in your browser before it leaves your device.

Self-Destructing

Messages are automatically deleted after being read once.

Zero Knowledge

We never see your data. Only encrypted blobs pass through our servers.

One-Time View

Links work exactly once. Refresh the page and it's gone forever.

How does share ssh private key work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share ssh private key

Prefer ed25519 for new keys

ed25519 keys are smaller, faster, and resistant to side-channel attacks that affect older RSA implementations. Generate with 'ssh-keygen -t ed25519 -a 100' for a strong KDF on the passphrase.

Always use a passphrase, even for short-lived keys

A passphrase buys you hours of brute-force margin if the key file leaks. The OpenSSH default 16-round bcrypt KDF makes offline cracking measurably expensive on commodity GPUs.

Restrict the receiving host with from= and command=

In authorized_keys, prefix the entry with 'from="192.0.2.0/24",command="/usr/bin/restricted-shell"' to limit where the key works and what it can run, even if the key itself leaks.

Rotate immediately after a one-time transfer

Once the recipient confirms the key is working, generate a new key, push it to authorized_keys, and remove the old entry. The old key becomes useless within minutes.

Related Secure Sharing Tools

Share API Key Securely Share .env Variables Share Database Credentials Share Software License Key Share Encryption Keys Share VPN Credentials Share Private Keys Securely Share Server Credentials

Real situations this is built for

Bootstrapping contractor access to a bastion

A two-week contractor needs SSH into your jump host. You generate a new keypair specifically for them, paste the private key into PasteOnce, restrict the authorized_keys entry by source IP, and revoke the entry the day the contract ends.

Restoring access during an incident

Production is down at 2 AM and the senior with admin keys is offline. They paste a recovery key into PasteOnce from their phone, the on-call engineer reads it on their laptop, fixes the issue, and the key is rotated when the dust settles.

Migrating a key between two of your own machines

You are switching laptops and the old machine does not have rsync access to the new one. PasteOnce lets you transfer the encrypted key file between two browser sessions you control, without exposing it to a third party or cloud sync.

Frequently Asked Questions

Is sharing my own private key ever the right answer?

Only in narrow cases — provisioning your own key onto a new device, or restoring access during an incident. For everyone else's access, generate them a new keypair and only ever share the public key, or have them generate locally and send you their public key.

What about ssh-keygen -R or ssh-add -d after I have rotated?

Yes — both. Run 'ssh-keygen -R hostname' to remove cached host keys and 'ssh-add -d ~/.ssh/old_key' to drop the rotated key from your local agent. Then audit ~/.ssh/authorized_keys on every machine that trusted the old key.

Should I share the public key instead?

For granting someone access to your server, yes — they only need your public key in their authorized_keys. The case for sharing a private key is the inverse: you, or a system you fully control, need to prove a specific identity that already exists.

Can I just zip up the entire .ssh folder and paste it?

PasteOnce is text-only — base64-encode the zip if you must, but it is almost always better to share keys individually. The .ssh folder also typically contains known_hosts and config files that you do not need to leak alongside the key.

Why secure share ssh private key matters

What goes wrong when share ssh private key is shared insecurely

Lateral movement to every host. An SSH key for a bastion or jump host typically grants access to dozens of internal machines. Once an attacker has the key, the bastion's purpose is inverted — it becomes the highway in rather than the chokepoint out.

Persistence in CI build logs. Pasting a key into a CI configuration field, environment variable dump, or build-output 'echo' command commits the key permanently to your build history, often readable to every developer in the org and to anyone who later buys leaked CI archives.

ssh-agent forwarding leaks. Once you SSH into a compromised server with agent forwarding enabled, that server can use your local key to authenticate to other servers — even ones you did not intend to share access to.

Backups and unencrypted rsync. A private key copied with rsync over an unencrypted channel, or backed up to cloud storage without at-rest encryption, becomes a recoverable artifact for anyone with backup access.

How does share ssh private key work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share ssh private key

Prefer ed25519 for new keys

ed25519 keys are smaller, faster, and resistant to side-channel attacks that affect older RSA implementations. Generate with 'ssh-keygen -t ed25519 -a 100' for a strong KDF on the passphrase.

Always use a passphrase, even for short-lived keys

A passphrase buys you hours of brute-force margin if the key file leaks. The OpenSSH default 16-round bcrypt KDF makes offline cracking measurably expensive on commodity GPUs.

Restrict the receiving host with from= and command=

In authorized_keys, prefix the entry with 'from="192.0.2.0/24",command="/usr/bin/restricted-shell"' to limit where the key works and what it can run, even if the key itself leaks.

Rotate immediately after a one-time transfer

Once the recipient confirms the key is working, generate a new key, push it to authorized_keys, and remove the old entry. The old key becomes useless within minutes.

Real situations this is built for

Bootstrapping contractor access to a bastion

Restoring access during an incident

Migrating a key between two of your own machines

Frequently Asked Questions

Is sharing my own private key ever the right answer?

What about ssh-keygen -R or ssh-add -d after I have rotated?

Should I share the public key instead?

Can I just zip up the entire .ssh folder and paste it?