diff --git a/.drone.yml b/.drone.yml
index 870bc9d..9e1349e 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -40,7 +40,7 @@ steps:
       - cd ansible
       - mkdir $ANSIBLE_HOME
       - ansible-galaxy install -r requirements.yaml
-      - summon ansible-playbook --private-key ../ssh_key --inventory=inventory.yaml runner-pre.yaml
+      - summon ansible-playbook --inventory=inventory.yaml runner-pre.yaml
   - name: Run Terraform
     image: registry.tobiasmanske.de/terraform-runner:latest
     pull: always
@@ -53,7 +53,7 @@ steps:
     pull: always
     commands:
       - cd ansible
-      - summon ansible-playbook --private-key ../ssh_key --inventory=inventory.yaml playbook.yaml
+      - summon ansible-playbook --inventory=inventory.yaml playbook.yaml
   - name: Validate Ansible
     image: registry.tobiasmanske.de/ansible-runner:latest
     pull: always
@@ -63,7 +63,7 @@ steps:
     commands:
       - cd ansible
       - ansible-galaxy install -r requirements.yaml
-      - summon ansible-playbook --check --private-key ../ssh_key --inventory=inventory.yaml playbook.yaml
+      - summon ansible-playbook --check --inventory=inventory.yaml playbook.yaml
 
 image_pull_secrets:
   - registry
diff --git a/ansible/inventory.yaml b/ansible/inventory.yaml
index 7f8137c..acc320d 100644
--- a/ansible/inventory.yaml
+++ b/ansible/inventory.yaml
@@ -27,6 +27,7 @@ all:
     service_base: "{{ playbook_dir }}/services"
     wg_keepalive: 30
     ansible_ssh_extra_args: "-o UserKnownHostsFile=./known_hosts"
+    ansible_ssh_private_key_file: "{{ lookup('ansible.builtin.env', 'SSH_KEY_' ~ inventory_hostname | mandatory | regex_replace('[^A-Za-z0-9]', '_')) }}"
   children:
     unprovisioned:
       hosts:
diff --git a/ansible/plays/common.yaml b/ansible/plays/common.yaml
index 4825adb..e179ecc 100644
--- a/ansible/plays/common.yaml
+++ b/ansible/plays/common.yaml
@@ -13,13 +13,23 @@
         owner: root
         group: root
         mode: '0755'
-    - name: Deploy CI SSH-Key
+    - name: Obtain Machine Pubkey
+      delegate_to: localhost
+      become: false
+      changed_when: false
+      register: pubkey
+      community.crypto.openssl_publickey:
+        format: OpenSSH
+        path: "/tmp/{{ inventory_hostname }}.pub"
+        privatekey_path: "{{ ansible_ssh_private_key_file }}"
+        return_content: true
+    - name: Deploy Machine SSH-Key
       ansible.posix.authorized_key:
         user: "{{ ansible_user }}"
         state: present
         manage_dir: false
         path: "/etc/ssh/authorized_keys/{{ ansible_user }}"
-        key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/2H7n27J7/xFAyQpE7r29UxTP5jttLRe6RhAC/Ndam drone-deploy"
+        key: "{{ pubkey.publickey }} drone-machine-deploy"
     - name: Deploy Common SSH-Keys
       ansible.posix.authorized_key:
         user: "{{ ansible_user }}"
@@ -292,3 +302,5 @@
     - setup_wireguard
     - setup_vpn
   ansible.builtin.import_playbook: vpn.yaml
+
+# vim: ft=yaml.ansible
diff --git a/ansible/secrets.yml b/ansible/secrets.yml
index 6a537ca..944c90b 100644
--- a/ansible/secrets.yml
+++ b/ansible/secrets.yml
@@ -1,2 +1,6 @@
 ---
 ANSIBLE_VAULT_PASSWORD_FILE: !file:var ansible/vault
+SSH_KEY_thonkpad_ka_chaoswg_org: !var:file machine/thonkpad.ka.chaoswg.org/ssh_key
+SSH_KEY_host_nc_chaoswg_org: !var:file machine/host.nc.chaoswg.org/ssh_key
+SSH_KEY_mon1_hel1_chaoswg_org: !var:file machine/mon1.hel1.chaoswg.org/ssh_key
+SSH_KEY_infra_unruhig_eu: !var:file machine/infra.unruhig.eu/ssh_key
diff --git a/ansible/tasks/create_ssh_keys.yaml b/ansible/tasks/create_ssh_keys.yaml
new file mode 100644
index 0000000..d8d8187
--- /dev/null
+++ b/ansible/tasks/create_ssh_keys.yaml
@@ -0,0 +1,25 @@
+# Onboarding: This playbook generates per-device ssh keys and places them in passage for later use.
+---
+- name: Generate SSH Keys
+  hosts: all
+  tasks:
+    - name: Check for ssh key present
+      shell: "passage machine/{{ inventory_hostname }}/ssh_key"
+      delegate_to: localhost
+      register: ssh_key
+      failed_when: false
+      changed_when: false
+    - name: Generate ssh_key
+      shell: "openssl genpkey -algorithm ed25519 | passage insert --multiline machine/{{ inventory_hostname }}/ssh_key"
+      delegate_to: localhost
+      when: ssh_key.rc != 0
+      register: new_ssh_key
+    - name: Add entry to secrets.yml
+      delegate_to: localhost
+      lineinfile:
+        state: present
+        path: ../secrets.yml
+        regexp: "^SSH_KEY_{{ inventory_hostname | mandatory | regex_replace('[^A-Za-z0-9]', '_') }}:"
+        line: "SSH_KEY_{{ inventory_hostname | mandatory | regex_replace('[^A-Za-z0-9]', '_') }}: !var:file machine/{{ inventory_hostname }}/ssh_key"
+
+# vim: ft=yaml.ansible
diff --git a/ansible/regenerate-known-hosts.yaml b/ansible/tasks/regenerate-known-hosts.yaml
similarity index 69%
rename from ansible/regenerate-known-hosts.yaml
rename to ansible/tasks/regenerate-known-hosts.yaml
index 5c0d806..0527573 100644
--- a/ansible/regenerate-known-hosts.yaml
+++ b/ansible/tasks/regenerate-known-hosts.yaml
@@ -4,6 +4,6 @@
   gather_facts: true
   tasks:
     - name: Run Keyscan
-      shell: "ssh-keyscan {{ groups['all'] | map('extract', hostvars, 'inventory_hostname') | list | join(' ') }} | sort >| known_hosts"
+      shell: "ssh-keyscan {{ groups['all'] | map('extract', hostvars, 'inventory_hostname') | list | join(' ') }} | sort >| ../known_hosts"