diff --git a/.woodpecker/db.yml b/.woodpecker/db.yml
index 172b959..7620129 100644
--- a/.woodpecker/db.yml
+++ b/.woodpecker/db.yml
@@ -25,8 +25,11 @@ steps:
       # fetch registry creds
       - ./ci/vlt kv_to_file kv registry user secrets/REGISTRY_USER 600
       - ./ci/vlt kv_to_file kv registry password secrets/REGISTRY_PASS 600
-      # fetch SSH private key for deploy
-      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private secrets/SSH_KEY 600
+      # fetch SSH private key for deploy (base64-encoded) and decode
+      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
+      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
+      - chmod 600 secrets/SSH_KEY
+      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
 
   - name: lock-db
     image: quay.io/skopeo/stable:latest