diff --git a/cli/internal/cmd/ssh.go b/cli/internal/cmd/ssh.go
index d0e35818e..54727b25b 100644
--- a/cli/internal/cmd/ssh.go
+++ b/cli/internal/cmd/ssh.go
@@ -72,7 +72,7 @@ func runSSH(cmd *cobra.Command, _ []string) error {
 	if err != nil {
 		return fmt.Errorf("Failed to set up key management service: %s", err)
 	}
-	key, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix, 256)
+	key, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, 256)
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve key from key management service: %s", err)
 	}
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index c313b74a6..172411630 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -42,6 +42,8 @@ const (
 	DefaultWorkerGroupName = "worker_default"
 	// CLIDebugLogFile is the name of the debug log file for constellation init/constellation apply.
 	CLIDebugLogFile = "constellation-debug.log"
+	// SSHCAKeySuffix is the suffix used together with the DEKPrefix to derive an SSH CA key for emergency ssh access.
+	SSHCAKeySuffix = "ca_emergency_ssh"
 
 	//
 	// Ports.