wut
Cca can't loving steal keys the way we're doing this. He's paying for the server. He never touches it, never gets FTP, never gets eval unless the host gives it to him.
To pull that stunt the malicious user needs 
1: a known key (probably their own) that is turned into a key.dat
2: another key.dat from the same server
To get the second key.dat you 
must either compromise the VPS or get FTP access.