diff --git a/.gitea/workflows/kubeadm-bootstrap.yml b/.gitea/workflows/kubeadm-bootstrap.yml
index 55ed3c3..82f3623 100644
--- a/.gitea/workflows/kubeadm-bootstrap.yml
+++ b/.gitea/workflows/kubeadm-bootstrap.yml
@@ -32,19 +32,35 @@ jobs:
       - name: Create SSH key
         run: |
           install -m 0700 -d ~/.ssh
-          KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
-          if [ -z "$KEY_CONTENT" ]; then
-            KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+          KEY_SOURCE=""
+          KEY_CONTENT=""
+          KEY_B64="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE_BASE64 }}")"
+          if [ -n "$KEY_B64" ]; then
+            KEY_SOURCE="SSH_KEY_PRIVATE_BASE64"
+            KEY_CONTENT="$(printf '%s' "$KEY_B64" | base64 -d)"
+          else
+            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
+            if [ -n "$KEY_CONTENT" ]; then
+              KEY_SOURCE="SSH_KEY_PRIVATE"
+            else
+              KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+              KEY_SOURCE="KUBEADM_SSH_PRIVATE_KEY"
+            fi
           fi
 
           if [ -z "$KEY_CONTENT" ]; then
-            echo "Missing SSH private key secret. Set KUBEADM_SSH_PRIVATE_KEY or SSH_KEY_PRIVATE."
+            echo "Missing SSH private key secret. Set SSH_KEY_PRIVATE_BASE64, SSH_KEY_PRIVATE, or KUBEADM_SSH_PRIVATE_KEY."
             exit 1
           fi
 
-          KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", ""); key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
+          KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", "").strip(); key=key[1:-1] if len(key) > 2 and ((key[0] == "\"" and key[-1] == "\"") or (key[0] == "\'" and key[-1] == "\'")) else key; key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
           chmod 0600 ~/.ssh/id_ed25519
 
+          if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null 2>&1; then
+            echo "Invalid private key content from $KEY_SOURCE"
+            exit 1
+          fi
+
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
         with:
diff --git a/.gitea/workflows/kubeadm-reset.yml b/.gitea/workflows/kubeadm-reset.yml
index d11d369..6d13946 100644
--- a/.gitea/workflows/kubeadm-reset.yml
+++ b/.gitea/workflows/kubeadm-reset.yml
@@ -32,19 +32,35 @@ jobs:
       - name: Create SSH key
         run: |
           install -m 0700 -d ~/.ssh
-          KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
-          if [ -z "$KEY_CONTENT" ]; then
-            KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+          KEY_SOURCE=""
+          KEY_CONTENT=""
+          KEY_B64="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE_BASE64 }}")"
+          if [ -n "$KEY_B64" ]; then
+            KEY_SOURCE="SSH_KEY_PRIVATE_BASE64"
+            KEY_CONTENT="$(printf '%s' "$KEY_B64" | base64 -d)"
+          else
+            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
+            if [ -n "$KEY_CONTENT" ]; then
+              KEY_SOURCE="SSH_KEY_PRIVATE"
+            else
+              KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+              KEY_SOURCE="KUBEADM_SSH_PRIVATE_KEY"
+            fi
           fi
 
           if [ -z "$KEY_CONTENT" ]; then
-            echo "Missing SSH private key secret. Set KUBEADM_SSH_PRIVATE_KEY or SSH_KEY_PRIVATE."
+            echo "Missing SSH private key secret. Set SSH_KEY_PRIVATE_BASE64, SSH_KEY_PRIVATE, or KUBEADM_SSH_PRIVATE_KEY."
             exit 1
           fi
 
-          KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", ""); key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
+          KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", "").strip(); key=key[1:-1] if len(key) > 2 and ((key[0] == "\"" and key[-1] == "\"") or (key[0] == "\'" and key[-1] == "\'")) else key; key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
           chmod 0600 ~/.ssh/id_ed25519
 
+          if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null 2>&1; then
+            echo "Invalid private key content from $KEY_SOURCE"
+            exit 1
+          fi
+
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
         with:
diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml
index b396e3b..6050a68 100644
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -75,19 +75,35 @@ jobs:
       - name: Create SSH key
         run: |
           install -m 0700 -d ~/.ssh
-          KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
-          if [ -z "$KEY_CONTENT" ]; then
-            KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+          KEY_SOURCE=""
+          KEY_CONTENT=""
+          KEY_B64="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE_BASE64 }}")"
+          if [ -n "$KEY_B64" ]; then
+            KEY_SOURCE="SSH_KEY_PRIVATE_BASE64"
+            KEY_CONTENT="$(printf '%s' "$KEY_B64" | base64 -d)"
+          else
+            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
+            if [ -n "$KEY_CONTENT" ]; then
+              KEY_SOURCE="SSH_KEY_PRIVATE"
+            else
+              KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
+              KEY_SOURCE="KUBEADM_SSH_PRIVATE_KEY"
+            fi
           fi
 
           if [ -z "$KEY_CONTENT" ]; then
-            echo "Missing SSH private key secret. Set KUBEADM_SSH_PRIVATE_KEY or SSH_KEY_PRIVATE."
+            echo "Missing SSH private key secret. Set SSH_KEY_PRIVATE_BASE64, SSH_KEY_PRIVATE, or KUBEADM_SSH_PRIVATE_KEY."
             exit 1
           fi
 
-          KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", ""); key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
+          KEY_CONTENT="$KEY_CONTENT" python3 -c 'import os, pathlib; key=os.environ.get("KEY_CONTENT", "").replace("\r", "").strip(); key=key[1:-1] if len(key) > 2 and ((key[0] == "\"" and key[-1] == "\"") or (key[0] == "\'" and key[-1] == "\'")) else key; key=key.replace("\\n", "\n") if "\\n" in key and "\n" not in key else key; pathlib.Path.home().joinpath(".ssh", "id_ed25519").write_text(key if key.endswith("\n") else key + "\n")'
           chmod 0600 ~/.ssh/id_ed25519
 
+          if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null 2>&1; then
+            echo "Invalid private key content from $KEY_SOURCE"
+            exit 1
+          fi
+
       - name: Verify SSH keypair match
         run: |
           if ! ssh-keygen -y -f ~/.ssh/id_ed25519 >/tmp/key.pub 2>/tmp/key.err; then