diff --git a/bootstrapper/internal/joinclient/BUILD.bazel b/bootstrapper/internal/joinclient/BUILD.bazel
index 68fbc4bcb..048df72ac 100644
--- a/bootstrapper/internal/joinclient/BUILD.bazel
+++ b/bootstrapper/internal/joinclient/BUILD.bazel
@@ -11,7 +11,6 @@ go_library(
         "//internal/attestation",
         "//internal/cloud/metadata",
         "//internal/constants",
-        "//internal/crypto",
         "//internal/file",
         "//internal/nodestate",
         "//internal/role",
@@ -22,7 +21,6 @@ go_library(
         "@io_k8s_kubernetes//cmd/kubeadm/app/constants",
         "@io_k8s_utils//clock",
         "@org_golang_google_grpc//:grpc",
-        "@org_golang_x_crypto//ssh",
     ],
 )
 
diff --git a/bootstrapper/internal/joinclient/joinclient.go b/bootstrapper/internal/joinclient/joinclient.go
index fbeb90f6e..7c81f1c23 100644
--- a/bootstrapper/internal/joinclient/joinclient.go
+++ b/bootstrapper/internal/joinclient/joinclient.go
@@ -31,14 +31,12 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/attestation"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/metadata"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
-	"github.com/edgelesssys/constellation/v2/internal/crypto"
 	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/edgelesssys/constellation/v2/internal/nodestate"
 	"github.com/edgelesssys/constellation/v2/internal/role"
 	"github.com/edgelesssys/constellation/v2/internal/versions/components"
 	"github.com/edgelesssys/constellation/v2/joinservice/joinproto"
 	"github.com/spf13/afero"
-	"golang.org/x/crypto/ssh"
 	"google.golang.org/grpc"
 	kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
 	kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
@@ -273,12 +271,7 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse,
 		return fmt.Errorf("writing kubelet key: %w", err)
 	}
 
-	ca, err := crypto.GenerateEmergencySSHCAKey(ticket.EmergencyCaKey)
-	if err != nil {
-		return fmt.Errorf("generating emergency SSH CA key: %s", err)
-	}
-
-	if err := c.fileHandler.Write(constants.SSHCAKeyPath, ssh.MarshalAuthorizedKey(ca.PublicKey()), file.OptMkdirAll); err != nil {
+	if err := c.fileHandler.Write(constants.SSHCAKeyPath, ticket.EmergencyCaKey, file.OptMkdirAll); err != nil {
 		return fmt.Errorf("writing ca key: %w", err)
 	}
 
diff --git a/joinservice/internal/server/BUILD.bazel b/joinservice/internal/server/BUILD.bazel
index 7e29a733c..68bff2182 100644
--- a/joinservice/internal/server/BUILD.bazel
+++ b/joinservice/internal/server/BUILD.bazel
@@ -19,6 +19,7 @@ go_library(
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//credentials",
         "@org_golang_google_grpc//status",
+        "@org_golang_x_crypto//ssh",
     ],
 )
 
diff --git a/joinservice/internal/server/server.go b/joinservice/internal/server/server.go
index 7f8afc85d..5b0a45b9b 100644
--- a/joinservice/internal/server/server.go
+++ b/joinservice/internal/server/server.go
@@ -9,6 +9,7 @@ package server
 
 import (
 	"context"
+	"crypto/ed25519"
 	"fmt"
 	"log/slog"
 	"net"
@@ -21,6 +22,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/versions/components"
 	"github.com/edgelesssys/constellation/v2/joinservice/joinproto"
+	"golang.org/x/crypto/ssh"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
@@ -101,11 +103,16 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
 	}
 
 	log.Info("Requesting emergency SSH CA derivation key")
-	sshCAKey, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, 256)
+	ssheCADerivationKey, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, ed25519.SeedSize)
 	if err != nil {
 		log.With(slog.Any("error", err)).Error("Failed to get emergency SSH CA derivation key")
 		return nil, status.Errorf(codes.Internal, "getting emergency SSH CA derivation key: %s", err)
 	}
+	ca, err := crypto.GenerateEmergencySSHCAKey(ssheCADerivationKey)
+	if err != nil {
+		log.With(slog.Any("error", err)).Error("Failed to derive ssh CA key from derivation key")
+		return nil, status.Errorf(codes.Internal, "generating ssh emergency CA key: %s", err)
+	}
 
 	log.Info("Creating Kubernetes join token")
 	kubeArgs, err := s.joinTokenGetter.GetJoinToken(constants.KubernetesJoinTokenTTL)
@@ -174,7 +181,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
 		KubeletCert:              kubeletCert,
 		ControlPlaneFiles:        controlPlaneFiles,
 		KubernetesComponents:     components,
-		EmergencyCaKey:           sshCAKey,
+		EmergencyCaKey:           ssh.MarshalAuthorizedKey(ca.PublicKey()),
 	}, nil
 }