We received a public records request for EVERY .pem file we have. Including our private keys. If we end up having to release them, we’ll revoke all of the corresponding certs and reissue them with new keys. Of course, another records request could be made and we’d have to repeat this process forever.
Note that if a .pem file is created – even temporarily – we have to retain it and potentially disclose it. Don’t even ask what happens if the .pem file is a symlink to another file name. Is the contents of a symlink “public record” the contents of the file it points to, the name of the file it points to, or both? WHO KNOWS!
I can’t believe we have to think about this, but here we are.
It's hard for me to understand how the filename determines whether or not the content is releasable under a public records law. (I understand that it might determine whether or not the content is within the scope of an individual public records request.) If you call the private key files .key, couldn't the requestor similarly request all "key files"? All files "containing PKCS#1 data"? All "ASN.1 PKI-related files"?
If you can send me a private message and let me know which agency and jurisdiction this is, I can also see if I can try to get you in touch with any additional legal assistance on the underlying subject matter question.
(I also agree with @_az's answer: the filenames in Certbot are extremely hard-coded in this regard and there is no straightforward way to permanently change them without making large changes to the Certbot code base.)
If their “loophole” is that .pem is also used for other “purposes”, then it simply needs to be clarified that these particular .pem files are not related to those uses/types/purposes.
A file extension is just text characters it doesn’t make/change the contents of the file.
Need I ask: Are these Lawyers all Idiots?
This is more of a legal question than a technical question, since any subpoena could be widened to encompass any sort of obfuscation you could apply. However, FOIA requests are allowed to exempt or redact specifically excluded sensitive information in every US jurisdiction I know of, so why aren’t your lawyers telling you how to redact the private keys instead?