diff --git a/client_software/0060_ssh_key/README.md b/client_software/0060_ssh_key/README.md
index a7c2708..16fb9f3 100644
--- a/client_software/0060_ssh_key/README.md
+++ b/client_software/0060_ssh_key/README.md
@@ -8,7 +8,11 @@ Run as the logged-in user via `client_software/user_run.sh` (needs the
 `DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
 
 Behavior:
-- If `~/.ssh/id_ed25519` already exists locally, it's left untouched.
+- `~/.ssh` is relocated to `${DECRYPTEDDATADIR}/ssh_keys` (the user's
+  gocryptfs-encrypted data dir) on first run: any existing content is moved
+  there once, then `~/.ssh` becomes a symlink to it. Subsequent runs detect
+  the symlink and skip this step.
+- If `~/.ssh/id_ed25519` already exists, it's left untouched.
 - Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
   - found → key is fetched, permissions fixed to `0600`, public key derived.
   - not found → a new vault is created, a new key pair is generated, and the
diff --git a/client_software/0060_ssh_key/user_run.sh b/client_software/0060_ssh_key/user_run.sh
index 47749da..3cc1a21 100755
--- a/client_software/0060_ssh_key/user_run.sh
+++ b/client_software/0060_ssh_key/user_run.sh
@@ -11,15 +11,37 @@ if [ "${DAVTOKEN_USER}." == "." ]; then
     exit 1
 fi
 
-KEYFILE="${HOME}/.ssh/id_ed25519"
+SSHDIR="${HOME}/.ssh"
+SSHDIR_REAL="${DECRYPTEDDATADIR}/ssh_keys"
+KEYFILE="${SSHDIR}/id_ed25519"
 SSHVAULTNAME="SSH_PRIV_KEY"
+
+#Relocate ~/.ssh into the encrypted data directory, migrating any existing content once
+if [ ! -L "${SSHDIR}" ]; then
+  mkdir -p "${SSHDIR_REAL}"
+  chmod 0700 "${SSHDIR_REAL}"
+  if [ -d "${SSHDIR}" ]; then
+    echo "Migrating existing ${SSHDIR} contents to ${SSHDIR_REAL}."
+    cp -a "${SSHDIR}/." "${SSHDIR_REAL}/"
+    if [ $? -ne 0 ]; then
+      echo "Error migrating ${SSHDIR} contents to ${SSHDIR_REAL}. Aborting, please check."
+      exit 1
+    fi
+    rm -rf "${SSHDIR}"
+  fi
+  ln -s "${SSHDIR_REAL}" "${SSHDIR}"
+  if [ $? -ne 0 ]; then
+    echo "Error creating symlink ${SSHDIR} -> ${SSHDIR_REAL}. Aborting, please check."
+    exit 1
+  fi
+fi
+
 if [ ${IPAVAULTUSE} = "false" ]; then
   echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available."
 else
   if [ -f ${KEYFILE} ]; then
     echo "SSH Key already present at ${KEYFILE}. Leaving it untouched."
   else
-    mkdir -p "${HOME}/.ssh"
     echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault"
     ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE}
     if [ $? -ne 0 ]; then
@@ -29,7 +51,7 @@ else
         echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check."
         exit 1
       else
-        ssh-keygen -t ed25519 -C "$(whoami)" -f ${KEYFILE}
+        ssh-keygen -t ed25519 -C "$(whoami)" -N "" -f ${KEYFILE}
         if [ $? -ne 0 ]; then
           echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check."
           exit 1