PuTTY Private Key (PPK)
Detects the header line of a PuTTY private key file (.ppk), as produced by PuTTYgen. The header begins with 'PuTTY-User-Key-File-' followed by the format version (2 or 3) and the SSH key algorithm. A leaked .ppk grants SSH access to whatever hosts trust the corresponding public key.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the 'PuTTY-User-Key-File-' prefix with a version digit and colon is a fixed, distinctive marker of a private key file and almost never appears outside of an actual .ppk file.
- Jurisdictions
- global
- Regulations
- GDPR, CCPA/CPRA
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 10
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported
Pattern
PuTTY-User-Key-File-[23]:\s*(?:ssh-(?:rsa|dss|ed25519|ed448)|ecdsa-sha2-nistp\d{3})?Corroborative evidence keywords
private key, PuTTY, ppk, PuTTYgen, ssh key, key file, passphrase
Proximity: 300 characters
Should match
PuTTY-User-Key-File-2: ssh-rsa— PPK v2 header with ssh-rsa algorithmPuTTY-User-Key-File-3: ssh-ed25519— PPK v3 header with ssh-ed25519 algorithmPuTTY-User-Key-File-3: ecdsa-sha2-nistp256 Encryption: none Comment: imported-openssh-key— PPK v3 header with ECDSA algorithm and following metadata lines
Should not match
PuTTY-User-Key-File-1: ssh-rsa— Version 1 is not a real PPK format version-----BEGIN OPENSSH PRIVATE KEY-----— OpenSSH private key, not a PuTTY .ppk fileconvert the OpenSSH key to a PuTTY user key file before connecting— Prose mention of a PuTTY key file without the actual header
Known false positives
- Documentation or tutorials that quote the PPK header line without real key material. Mitigation: Require corroborative keywords and confirm the Public-Lines / Private-Lines base64 body follows.