Skip to content
Latchkey

What Is a Private Key? Explained

A private key is the secret half of a cryptographic key pair, used to sign data or decrypt messages, and it must never be shared.

A private key is the single most sensitive thing in public-key cryptography. It is the secret that proves your identity: it can sign data that the world verifies with your public key, and it can decrypt messages encrypted to you. If a private key leaks, the security it provides collapses - which is why handling private keys correctly is a core CI security concern.

What a private key is

A private key is one half of a key pair, mathematically linked to a public key. It is kept secret by its owner. What the private key signs, the public key verifies; what the public key encrypts, only the private key can decrypt. Its security depends entirely on staying secret.

What a private key does

Two main jobs: signing and decryption. Signing with a private key produces a digital signature anyone can verify, proving authorship. Decryption with a private key opens messages encrypted to the matching public key. Both rely on the key remaining exclusively in the owners hands.

Why it must never leak

A leaked private key lets anyone impersonate its owner - signing fraudulent artifacts, authenticating as you, or decrypting your traffic. Leaked keys are one of the most damaging CI security incidents, which is why keys are stored as secrets and, ideally, never written to disk longer than needed.

Private keys in CI

When a pipeline must use a private key - to sign a release or authenticate as a GitHub App - it lives as a masked secret and is materialized only for the step that needs it. The modern best practice is to avoid long-lived private keys entirely, using short-lived OIDC credentials or keyless signing instead.

Scoping a private key to one step
# Use a private key only for the step that needs it
steps:
  - run: |
      printf "%s" "${{ secrets.SIGNING_KEY }}" > k.pem
      cosign sign-blob --key k.pem artifact.tar.gz
      rm -f k.pem

Latchkey note

Private keys used on Latchkey runners are masked secrets, and runner isolation means each job runs in a fresh environment that is torn down afterward - so a key written to disk does not persist into later, unrelated jobs.

Key takeaways

  • A private key is the secret half of a key pair used to sign data and decrypt messages.
  • It must never be shared; a leaked private key lets attackers impersonate its owner.
  • CI stores private keys as masked secrets, materializes them only when needed, and prefers short-lived OIDC where possible.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →