diff --git a/.gitea/workflows/kubeadm-bootstrap.yml b/.gitea/workflows/kubeadm-bootstrap.yml
index 5a6044c..bd44515 100644
--- a/.gitea/workflows/kubeadm-bootstrap.yml
+++ b/.gitea/workflows/kubeadm-bootstrap.yml
@@ -32,9 +32,9 @@ jobs:
       - name: Create SSH key
         run: |
           install -m 0700 -d ~/.ssh
-          KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+          KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
           if [ -z "$KEY_CONTENT" ]; then
-            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
+            KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
           fi
 
           if [ -z "$KEY_CONTENT" ]; then
diff --git a/.gitea/workflows/kubeadm-reset.yml b/.gitea/workflows/kubeadm-reset.yml
index 6b55894..61676f5 100644
--- a/.gitea/workflows/kubeadm-reset.yml
+++ b/.gitea/workflows/kubeadm-reset.yml
@@ -32,9 +32,9 @@ jobs:
       - name: Create SSH key
         run: |
           install -m 0700 -d ~/.ssh
-          KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+          KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
           if [ -z "$KEY_CONTENT" ]; then
-            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
+            KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
           fi
 
           if [ -z "$KEY_CONTENT" ]; then
diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml
index a2987b3..081f761 100644
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -75,9 +75,9 @@ jobs:
       - name: Create SSH key
         run: |
           install -m 0700 -d ~/.ssh
-          KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+          KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
           if [ -z "$KEY_CONTENT" ]; then
-            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
+            KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
           fi
 
           if [ -z "$KEY_CONTENT" ]; then
@@ -88,6 +88,19 @@ jobs:
           printf '%s\n' "$KEY_CONTENT" | tr -d '\r' > ~/.ssh/id_ed25519
           chmod 0600 ~/.ssh/id_ed25519
 
+      - name: Verify SSH keypair match
+        run: |
+          PRIV_FP="$(ssh-keygen -y -f ~/.ssh/id_ed25519 | ssh-keygen -lf - | awk '{print $2}')"
+          PUB_FP="$(printf '%s\n' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r' | ssh-keygen -lf - | awk '{print $2}')"
+
+          echo "private fingerprint: $PRIV_FP"
+          echo "public  fingerprint: $PUB_FP"
+
+          if [ "$PRIV_FP" != "$PUB_FP" ]; then
+            echo "SSH_KEY_PRIVATE does not match SSH_KEY_PUBLIC. Update secrets with the same keypair."
+            exit 1
+          fi
+
       - name: Create kubeadm inventory from Terraform outputs
         env:
           KUBEADM_SSH_USER: ${{ secrets.KUBEADM_SSH_USER }}