diff --git a/bootstrapper/internal/initserver/initserver.go b/bootstrapper/internal/initserver/initserver.go
index ff5406f1a..fad54abda 100644
--- a/bootstrapper/internal/initserver/initserver.go
+++ b/bootstrapper/internal/initserver/initserver.go
@@ -20,6 +20,7 @@ package initserver
 import (
 	"bufio"
 	"context"
+	"crypto/ed25519"
 	"errors"
 	"fmt"
 	"io"
@@ -225,7 +226,7 @@ func (s *Server) Init(req *initproto.InitRequest, stream initproto.API_InitServe
 	}
 
 	// Derive the emergency ssh CA key
-	key, err := cloudKms.GetDEK(stream.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, 256)
+	key, err := cloudKms.GetDEK(stream.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
 	if err != nil {
 		if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "retrieving DEK for key derivation: %s", err)); e != nil {
 			err = errors.Join(err, e)
diff --git a/cli/internal/cmd/ssh.go b/cli/internal/cmd/ssh.go
index 4bfb6eae8..c9c78bd0a 100644
--- a/cli/internal/cmd/ssh.go
+++ b/cli/internal/cmd/ssh.go
@@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 package cmd
 
 import (
+	"crypto/ed25519"
 	"crypto/rand"
 	"fmt"
 	"os"
@@ -70,7 +71,7 @@ func runSSH(cmd *cobra.Command, _ []string) error {
 	if err != nil {
 		return fmt.Errorf("setting up KMS: %s", err)
 	}
-	key, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, 256)
+	key, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
 	if err != nil {
 		return fmt.Errorf("retrieving key from KMS: %s", err)
 	}
diff --git a/internal/crypto/crypto_test.go b/internal/crypto/crypto_test.go
index 674ec4c84..0c6ccad1a 100644
--- a/internal/crypto/crypto_test.go
+++ b/internal/crypto/crypto_test.go
@@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 package crypto
 
 import (
+	"crypto/ed25519"
 	"crypto/x509"
 	"testing"
 
@@ -121,6 +122,39 @@ func TestGenerateRandomBytes(t *testing.T) {
 	assert.Len(n3, 16)
 }
 
+func TestGenerateEmergencySSHCAKey(t *testing.T) {
+	nullKey := make([]byte, ed25519.SeedSize)
+	for i := range nullKey {
+		nullKey[i] = 0x0
+	}
+
+	testCases := map[string]struct {
+		key     []byte
+		wantErr bool
+	}{
+		"invalid key": {
+			key:     make([]byte, 0),
+			wantErr: true,
+		},
+		"valid key": {
+			key: nullKey,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			_, err := GenerateEmergencySSHCAKey(tc.key)
+			if tc.wantErr {
+				assert.NotNil(err)
+			} else {
+				assert.Nil(err)
+			}
+		})
+	}
+}
+
 func TestPemToX509Cert(t *testing.T) {
 	testCases := map[string]struct {
 		pemCert []byte