diff --git a/cli/internal/cmd/BUILD.bazel b/cli/internal/cmd/BUILD.bazel
index 483a84dfc..7b29a66fa 100644
--- a/cli/internal/cmd/BUILD.bazel
+++ b/cli/internal/cmd/BUILD.bazel
@@ -37,6 +37,7 @@ go_library(
         "miniup_linux_amd64.go",
         "recover.go",
         "spinner.go",
+        "ssh.go",
         "status.go",
         "terminate.go",
         "upgrade.go",
@@ -46,7 +47,6 @@ go_library(
         "validargs.go",
         "verify.go",
         "version.go",
-        "ssh.go",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/cli/internal/cmd",
     visibility = ["//cli:__subpackages__"],
@@ -117,8 +117,8 @@ go_library(
         "//internal/attestation/azure/tdx",
         "@com_github_google_go_sev_guest//proto/sevsnp",
         "@com_github_google_go_tpm_tools//proto/attest",
-        "@org_golang_x_crypto//hkdf",
         "@org_golang_x_crypto//ssh",
+        "//internal/kms/setup",
     ] + select({
         "@io_bazel_rules_go//go/platform:android_amd64": [
             "@org_golang_x_sys//unix",
diff --git a/cli/internal/cmd/ssh.go b/cli/internal/cmd/ssh.go
index b1cdb5093..9e4a66b1e 100644
--- a/cli/internal/cmd/ssh.go
+++ b/cli/internal/cmd/ssh.go
@@ -7,18 +7,20 @@ SPDX-License-Identifier: AGPL-3.0-only
 package cmd
 
 import (
+	"bytes"
 	"crypto/ed25519"
 	"crypto/rand"
-	"crypto/sha256"
 	"fmt"
 	"time"
 
 	"github.com/edgelesssys/constellation/v2/internal/constants"
+	"github.com/edgelesssys/constellation/v2/internal/crypto"
 	"github.com/edgelesssys/constellation/v2/internal/file"
+	"github.com/edgelesssys/constellation/v2/internal/kms/setup"
+	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 
-	"golang.org/x/crypto/hkdf"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -60,8 +62,17 @@ func runSSH(cmd *cobra.Command, _ []string) error {
 		return err
 	}
 
-	hkdf := hkdf.New(sha256.New, mastersecret.Key, mastersecret.Salt, []byte("ssh-ca"))
-	_, priv, err := ed25519.GenerateKey(hkdf)
+	mastersecret_uri := uri.MasterSecret{Key: mastersecret.Key, Salt: mastersecret.Salt}
+	kms, err := setup.KMS(cmd.Context(), uri.NoStoreURI, mastersecret_uri.EncodeToURI())
+	if err != nil {
+		return err
+	}
+	key, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix, 256)
+	if err != nil {
+		return err
+	}
+
+	_, priv, err := ed25519.GenerateKey(bytes.NewReader(key))
 	if err != nil {
 		return err
 	}
diff --git a/keyservice/internal/server/BUILD.bazel b/keyservice/internal/server/BUILD.bazel
index 22110e200..38bc3afbb 100644
--- a/keyservice/internal/server/BUILD.bazel
+++ b/keyservice/internal/server/BUILD.bazel
@@ -15,6 +15,7 @@ go_library(
         "@org_golang_google_grpc//:grpc",
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//status",
+        "@org_golang_x_crypto//ssh",
     ],
 )