diff --git a/lib/util/git/private-key.ts b/lib/util/git/private-key.ts
index 0cb6c1b0cd541ce273450a9edf8896779ff4272c..c04504105ef726ea1c1d195b1e3b8dcb77f45307 100644
--- a/lib/util/git/private-key.ts
+++ b/lib/util/git/private-key.ts
@@ -6,6 +6,7 @@ import { PLATFORM_GPG_FAILED } from '../../constants/error-messages';
 import { logger } from '../../logger';
 import { exec } from '../exec';
 import { newlineRegex } from '../regex';
+import { addSecretForSanitizing } from '../sanitize';
 
 let gitPrivateKey: string | undefined;
 let keyId: string | undefined;
@@ -14,6 +15,7 @@ export function setPrivateKey(key: string | undefined): void {
   if (!is.nonEmptyStringAndNotWhitespace(key)) {
     return;
   }
+  addSecretForSanitizing(key.trim(), 'global');
   logger.debug(
     'gitPrivateKey: successfully set (but not yet written/configured)'
   );
diff --git a/lib/util/sanitize.ts b/lib/util/sanitize.ts
index 8c70e04b668c2da07e0fc557d932cab462393d3a..7411aa08db62445f2cf70b4d6b71b598355c71e0 100644
--- a/lib/util/sanitize.ts
+++ b/lib/util/sanitize.ts
@@ -41,7 +41,10 @@ export function sanitize(
 
 const GITHUB_APP_TOKEN_PREFIX = 'x-access-token:';
 
-export function addSecretForSanitizing(secret: string, type = 'repo'): void {
+export function addSecretForSanitizing(
+  secret: string | undefined,
+  type = 'repo'
+): void {
   if (!is.nonEmptyString(secret)) {
     return;
   }
diff --git a/lib/workers/global/config/parse/index.ts b/lib/workers/global/config/parse/index.ts
index 58352098df82f1114374889efdd46e39fc18b701..3a9aede917ecab70fc8432683e0d45443eebd119 100644
--- a/lib/workers/global/config/parse/index.ts
+++ b/lib/workers/global/config/parse/index.ts
@@ -4,6 +4,7 @@ import { mergeChildConfig } from '../../../../config/utils';
 import { addStream, logger, setContext } from '../../../../logger';
 import { detectAllGlobalConfig } from '../../../../modules/manager';
 import { ensureDir, getParentDir, readSystemFile } from '../../../../util/fs';
+import { addSecretForSanitizing } from '../../../../util/sanitize';
 import { ensureTrailingSlash } from '../../../../util/url';
 import * as cliParser from './cli';
 import * as codespaces from './codespaces';
@@ -49,10 +50,16 @@ export async function parseConfigs(
   }
 
   if (!config.privateKeyOld && config.privateKeyPathOld) {
-    config.privateKey = await readSystemFile(config.privateKeyPathOld, 'utf8');
+    config.privateKeyOld = await readSystemFile(
+      config.privateKeyPathOld,
+      'utf8'
+    );
     delete config.privateKeyPathOld;
   }
 
+  addSecretForSanitizing(config.privateKey, 'global');
+  addSecretForSanitizing(config.privateKeyOld, 'global');
+
   if (config.logContext) {
     // This only has an effect if logContext was defined via file or CLI, otherwise it would already have been detected in env
     setContext(config.logContext);