diff --git a/modules/initrd-ssh.nix b/modules/initrd-ssh.nix
index 4b38c2b..afda98b 100644
--- a/modules/initrd-ssh.nix
+++ b/modules/initrd-ssh.nix
@@ -9,10 +9,10 @@
     ssh = {
       enable = lib.mkDefault config.boot.initrd.network.enable;
       port = 2222;
-      # ssh-keygen -t ed25519 -N "" -f initrd-ssh-host-key -C HOSTNAME
-      # pass insert -m nixos/machines/HOSTNAME/initrd-ssh-host-key < initrd-ssh-host-key
+      # ssh-keygen -t ed25519 -N "" -f ssh_host_ed25519_key_initrd -C HOSTNAME
+      # scp ssh_host_ed25519_key_initrd root@machine:/etc/ssh/
       hostKeys = [
-        (toString <secrets> + "/initrd-ssh-host-key")
+        "/etc/ssh/ssh_host_ed25519_key_initrd"
       ];
     };
   };
diff --git a/shell.nix b/shell.nix
index dfa1286..74be3ff 100644
--- a/shell.nix
+++ b/shell.nix
@@ -37,8 +37,6 @@ let
       # opening luks fails if gpg-agent is not unlocked yet
       pass "devices/$machine/luks" >/dev/null
       ssh \
-          -oStrictHostKeyChecking=no \
-          -oGlobalKnownHostsFile=<(echo "[$hostname]:2222 ssh-ed25519 $(ssh-keygen -l -f <(ssh-keygen -y -f<(pass "nixos/machines/$machine/initrd-ssh-host-key")) | cut -d' ' -f2)") \
           -4 \
           -p 2222 \
           "root@$hostname" \