diff --git a/Documentation/design/installconfig.md b/Documentation/design/installconfig.md
index 050d0fa9203..2b0bab05e89 100644
--- a/Documentation/design/installconfig.md
+++ b/Documentation/design/installconfig.md
@@ -68,7 +68,6 @@ type AWS struct {
     Master                    `json:",inline" yaml:"master,omitempty"`
     Profile                   string `json:"tectonic_aws_profile,omitempty" yaml:"profile,omitempty"`
     Region                    string `json:"tectonic_aws_region,omitempty" yaml:"region,omitempty"`
-    SSHKey                    string `json:"tectonic_aws_ssh_key,omitempty" yaml:"sshKey,omitempty"`
     VPCCIDRBlock              string `json:"tectonic_aws_vpc_cidr_block,omitempty" yaml:"vpcCIDRBlock,omitempty"`
     Worker                    `json:",inline" yaml:"worker,omitempty"`
 }
@@ -106,7 +105,6 @@ type Worker struct {
 ```go
 type Libvirt struct {
     URI           string `json:"tectonic_libvirt_uri,omitempty" yaml:"uri"`
-    SSHKey        string `json:"tectonic_libvirt_ssh_key,omitempty" yaml:"sshKey"`
     QCOWImagePath string `json:"tectonic_coreos_qcow_path,omitempty" yaml:"imagePath"`
     Network       `json:",inline" yaml:"network"`
     MasterIPs     []string `json:"tectonic_libvirt_master_ips,omitempty" yaml:"masterIPs"`
diff --git a/config.tf b/config.tf
index 9ca2acd57bc..3d14025ba71 100644
--- a/config.tf
+++ b/config.tf
@@ -267,6 +267,15 @@ also be escaped.
 EOF
 }
 
+variable "tectonic_admin_ssh_key" {
+  type    = "string"
+  default = ""
+
+  description = <<EOF
+(optional) The admin user's SSH public key to login to the nodes.
+EOF
+}
+
 variable "tectonic_ca_cert" {
   type    = "string"
   default = ""
diff --git a/examples/tectonic.aws.yaml b/examples/tectonic.aws.yaml
index d1aecb0b5e0..373bf986c07 100644
--- a/examples/tectonic.aws.yaml
+++ b/examples/tectonic.aws.yaml
@@ -1,6 +1,7 @@
 admin:
   email: "a@b.c"
   password: "verysecure"
+  sshKey: "ssh-ed25519 AAAA..."
 aws:
   # (optional) Unique name under which the Amazon S3 bucket will be created. Bucket name must start with a lower case name and is limited to 63 characters.
   # The Tectonic Installer uses the bucket to store tectonic assets and kubeconfig.
@@ -130,9 +131,6 @@ aws:
   # The target AWS region for the cluster.
   region: eu-west-1
 
-  # Name of an SSH key located within the AWS region. Example: coreos-user.
-  sshKey:
-
   # Block of IP addresses used by the VPC.
   # This should not overlap with any other networks, such as a private datacenter connected via Direct Connect.
   vpcCIDRBlock: 10.0.0.0/16
diff --git a/examples/tectonic.libvirt.yaml b/examples/tectonic.libvirt.yaml
index ee26c850e34..eaaeaa87e3b 100644
--- a/examples/tectonic.libvirt.yaml
+++ b/examples/tectonic.libvirt.yaml
@@ -1,6 +1,7 @@
 admin:
   email: a@b.c
   password: verysecure
+  sshKey: "ssh-ed25519 AAAA..."
 # The base DNS domain of the cluster. It must NOT contain a trailing period. Some
 # DNS providers will automatically add this if necessary.
 #
@@ -16,7 +17,6 @@ libvirt:
     ifName: tt0
     dnsServer: 8.8.8.8
     ipRange: 192.168.124.0/24
-  sshKey: "ssh-rsa ..."
   imagePath: /path/to/image
 
 ca:
diff --git a/installer/pkg/config-generator/ignition.go b/installer/pkg/config-generator/ignition.go
index a77ca0abbbc..2f0ffa8c187 100644
--- a/installer/pkg/config-generator/ignition.go
+++ b/installer/pkg/config-generator/ignition.go
@@ -57,7 +57,9 @@ func (c *ConfigGenerator) GenerateIgnConfig(clusterDir string) error {
 			return err
 		}
 
-		// agentless platforms (e.g. libvirt) need to embed the ssh key
+		// XXX(crawford): The SSH key should only be added to the bootstrap
+		//                node. After that, MCO should be responsible for
+		//                distributing SSH keys.
 		c.embedUserBlock(ignCfg)
 
 		fileTargetPath := filepath.Join(clusterDir, ignFilesPath[role])
@@ -111,16 +113,14 @@ func (c *ConfigGenerator) appendCertificateAuthority(ignCfg *ignconfigtypes.Conf
 }
 
 func (c *ConfigGenerator) embedUserBlock(ignCfg *ignconfigtypes.Config) {
-	if c.Platform == config.PlatformLibvirt {
-		userBlock := ignconfigtypes.PasswdUser{
-			Name: "core",
-			SSHAuthorizedKeys: []ignconfigtypes.SSHAuthorizedKey{
-				ignconfigtypes.SSHAuthorizedKey(c.Libvirt.SSHKey),
-			},
-		}
-
-		ignCfg.Passwd.Users = append(ignCfg.Passwd.Users, userBlock)
+	userBlock := ignconfigtypes.PasswdUser{
+		Name: "core",
+		SSHAuthorizedKeys: []ignconfigtypes.SSHAuthorizedKey{
+			ignconfigtypes.SSHAuthorizedKey(c.SSHKey),
+		},
 	}
+
+	ignCfg.Passwd.Users = append(ignCfg.Passwd.Users, userBlock)
 }
 
 func (c *ConfigGenerator) getTNCURL(role string) string {
diff --git a/installer/pkg/config/aws/aws.go b/installer/pkg/config/aws/aws.go
index 54a755268a2..0e1793e1842 100644
--- a/installer/pkg/config/aws/aws.go
+++ b/installer/pkg/config/aws/aws.go
@@ -30,7 +30,6 @@ type AWS struct {
 	Master                    `json:",inline" yaml:"master,omitempty"`
 	Profile                   string `json:"tectonic_aws_profile,omitempty" yaml:"profile,omitempty"`
 	Region                    string `json:"tectonic_aws_region,omitempty" yaml:"region,omitempty"`
-	SSHKey                    string `json:"tectonic_aws_ssh_key,omitempty" yaml:"sshKey,omitempty"`
 	VPCCIDRBlock              string `json:"tectonic_aws_vpc_cidr_block,omitempty" yaml:"vpcCIDRBlock,omitempty"`
 	Worker                    `json:",inline" yaml:"worker,omitempty"`
 }
diff --git a/installer/pkg/config/libvirt/libvirt.go b/installer/pkg/config/libvirt/libvirt.go
index 7c59abf8074..83c2eef122d 100644
--- a/installer/pkg/config/libvirt/libvirt.go
+++ b/installer/pkg/config/libvirt/libvirt.go
@@ -17,7 +17,6 @@ const (
 // Libvirt encompasses configuration specific to libvirt.
 type Libvirt struct {
 	URI           string `json:"tectonic_libvirt_uri,omitempty" yaml:"uri"`
-	SSHKey        string `json:"tectonic_libvirt_ssh_key,omitempty" yaml:"sshKey"`
 	QCOWImagePath string `json:"tectonic_coreos_qcow_path,omitempty" yaml:"imagePath"`
 	Network       `json:",inline" yaml:"network"`
 	MasterIPs     []string `json:"tectonic_libvirt_master_ips,omitempty" yaml:"masterIPs"`
diff --git a/installer/pkg/config/types.go b/installer/pkg/config/types.go
index 7c3037b38e9..ae9e30a3b09 100644
--- a/installer/pkg/config/types.go
+++ b/installer/pkg/config/types.go
@@ -20,6 +20,7 @@ const (
 type Admin struct {
 	Email    string `json:"tectonic_admin_email" yaml:"email,omitempty"`
 	Password string `json:"tectonic_admin_password" yaml:"password,omitempty"`
+	SSHKey   string `json:"tectonic_admin_ssh_key,omitempty" yaml:"sshKey,omitempty"`
 }
 
 // CA related config
diff --git a/installer/pkg/config/validate.go b/installer/pkg/config/validate.go
index 7939db583ce..5e75f9537fb 100644
--- a/installer/pkg/config/validate.go
+++ b/installer/pkg/config/validate.go
@@ -183,9 +183,6 @@ func (c *Cluster) validateLibvirt() []error {
 	if err := validate.PrefixError("libvirt imagePath is not a valid QCOW image", validate.FileHeader(c.Libvirt.QCOWImagePath, qcowMagic)); err != nil {
 		errs = append(errs, err)
 	}
-	if err := validate.PrefixError("libvirt sshKey", validate.NonEmpty(c.Libvirt.SSHKey)); err != nil {
-		errs = append(errs, err)
-	}
 	if err := validate.PrefixError("libvirt network name", validate.NonEmpty(c.Libvirt.Network.Name)); err != nil {
 		errs = append(errs, err)
 	}
diff --git a/installer/pkg/config/validate_test.go b/installer/pkg/config/validate_test.go
index 859351c8034..4a3c2b4b166 100644
--- a/installer/pkg/config/validate_test.go
+++ b/installer/pkg/config/validate_test.go
@@ -605,7 +605,6 @@ func TestValidateLibvirt(t *testing.T) {
 				Libvirt: libvirt.Libvirt{
 					Network:       libvirt.Network{},
 					QCOWImagePath: "",
-					SSHKey:        "",
 					URI:           "",
 				},
 				Networking: defaultCluster.Networking,
@@ -622,7 +621,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "10.0.1.0/24",
 					},
 					QCOWImagePath: fInvalid.Name(),
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -639,7 +637,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "10.0.1.0/24",
 					},
 					QCOWImagePath: fValid.Name(),
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -656,7 +653,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "10.2.1.0/24",
 					},
 					QCOWImagePath: fValid.Name(),
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -673,7 +669,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "x",
 					},
 					QCOWImagePath: "foo",
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
@@ -690,7 +685,6 @@ func TestValidateLibvirt(t *testing.T) {
 						IPRange:   "192.168.0.1/24",
 					},
 					QCOWImagePath: "foo",
-					SSHKey:        "bar",
 					URI:           "baz",
 				},
 				Networking: defaultCluster.Networking,
diff --git a/modules/aws/etcd/nodes.tf b/modules/aws/etcd/nodes.tf
index 96be2cc39d6..d87d7b49e56 100644
--- a/modules/aws/etcd/nodes.tf
+++ b/modules/aws/etcd/nodes.tf
@@ -88,7 +88,6 @@ resource "aws_instance" "etcd_node" {
 
   iam_instance_profile   = "${aws_iam_instance_profile.etcd.name}"
   instance_type          = "${var.ec2_type}"
-  key_name               = "${var.ssh_key}"
   subnet_id              = "${element(var.subnets, count.index)}"
   user_data              = "${data.ignition_config.tnc.*.rendered[count.index]}"
   vpc_security_group_ids = ["${var.sg_ids}"]
diff --git a/modules/aws/etcd/variables.tf b/modules/aws/etcd/variables.tf
index f4aae123447..b1f9aa85180 100644
--- a/modules/aws/etcd/variables.tf
+++ b/modules/aws/etcd/variables.tf
@@ -33,11 +33,6 @@ It is passed through to the Terraform aws provider: https://www.terraform.io/doc
 EOF
 }
 
-variable "ssh_key" {
-  type    = "string"
-  default = ""
-}
-
 variable "subnets" {
   type = "list"
 }
diff --git a/modules/aws/master-asg/master.tf b/modules/aws/master-asg/master.tf
index 0fadf1db1c8..16df02cb77f 100644
--- a/modules/aws/master-asg/master.tf
+++ b/modules/aws/master-asg/master.tf
@@ -48,7 +48,6 @@ resource "aws_launch_configuration" "master_conf" {
   instance_type               = "${var.ec2_type}"
   image_id                    = "${coalesce(var.ec2_ami, module.ami.id)}"
   name_prefix                 = "${var.cluster_name}-master-"
-  key_name                    = "${var.ssh_key}"
   security_groups             = ["${var.master_sg_ids}"]
   iam_instance_profile        = "${aws_iam_instance_profile.master_profile.arn}"
   associate_public_ip_address = "${var.public_endpoints}"
diff --git a/modules/aws/master-asg/variables.tf b/modules/aws/master-asg/variables.tf
index f0b9314fbe3..e6ea8da7789 100644
--- a/modules/aws/master-asg/variables.tf
+++ b/modules/aws/master-asg/variables.tf
@@ -101,10 +101,6 @@ variable "root_volume_type" {
   description = "The type of volume for the root block device."
 }
 
-variable "ssh_key" {
-  type = "string"
-}
-
 variable "subnet_ids" {
   type = "list"
 }
diff --git a/modules/aws/worker-asg/variables.tf b/modules/aws/worker-asg/variables.tf
index 2883de0dfcc..ce546d01fea 100644
--- a/modules/aws/worker-asg/variables.tf
+++ b/modules/aws/worker-asg/variables.tf
@@ -1,7 +1,3 @@
-variable "ssh_key" {
-  type = "string"
-}
-
 variable "container_linux_channel" {
   type = "string"
 }
diff --git a/modules/aws/worker-asg/worker.tf b/modules/aws/worker-asg/worker.tf
index ef415a44ae3..5a2fbfbdb56 100644
--- a/modules/aws/worker-asg/worker.tf
+++ b/modules/aws/worker-asg/worker.tf
@@ -14,7 +14,6 @@ resource "aws_launch_configuration" "worker_conf" {
   instance_type        = "${var.ec2_type}"
   image_id             = "${coalesce(var.ec2_ami, module.ami.id)}"
   name_prefix          = "${var.cluster_name}-worker-"
-  key_name             = "${var.ssh_key}"
   security_groups      = ["${var.sg_ids}"]
   iam_instance_profile = "${aws_iam_instance_profile.worker_profile.arn}"
   user_data            = "${var.user_data_ign}"
diff --git a/steps/assets/aws/main.tf b/steps/assets/aws/main.tf
index 48090ff3290..323ee595d0c 100644
--- a/steps/assets/aws/main.tf
+++ b/steps/assets/aws/main.tf
@@ -18,6 +18,7 @@ module assets_base {
 
   tectonic_admin_email             = "${var.tectonic_admin_email}"
   tectonic_admin_password          = "${var.tectonic_admin_password}"
+  tectonic_admin_ssh_key           = "${var.tectonic_admin_ssh_key}"
   tectonic_base_domain             = "${var.tectonic_base_domain}"
   tectonic_cluster_cidr            = "${var.tectonic_cluster_cidr}"
   tectonic_cluster_id              = "${var.tectonic_cluster_id}"
diff --git a/steps/assets/libvirt/main.tf b/steps/assets/libvirt/main.tf
index 026091e50a5..7309f5a0ef6 100644
--- a/steps/assets/libvirt/main.tf
+++ b/steps/assets/libvirt/main.tf
@@ -14,6 +14,9 @@ module assets_base {
 
   ingress_kind = "haproxy-router"
 
+  tectonic_admin_email             = "${var.tectonic_admin_email}"
+  tectonic_admin_password          = "${var.tectonic_admin_password}"
+  tectonic_admin_ssh_key           = "${var.tectonic_admin_ssh_key}"
   tectonic_base_domain             = "${var.tectonic_base_domain}"
   tectonic_cluster_name            = "${var.tectonic_cluster_name}"
   tectonic_container_images        = "${var.tectonic_container_images}"
@@ -24,11 +27,9 @@ module assets_base {
   tectonic_networking              = "${var.tectonic_networking}"
   tectonic_license_path            = "${var.tectonic_license_path}"
   tectonic_pull_secret_path        = "${var.tectonic_pull_secret_path}"
-  tectonic_admin_email             = "${var.tectonic_admin_email}"
   tectonic_update_channel          = "${var.tectonic_update_channel}"
   tectonic_platform                = "${var.tectonic_platform}"
   tectonic_versions                = "${var.tectonic_versions}"
-  tectonic_admin_password          = "${var.tectonic_admin_password}"
   tectonic_cluster_id              = "${var.tectonic_cluster_id}"
   tectonic_container_linux_channel = "${var.tectonic_container_linux_channel}"
   tectonic_container_linux_version = "${var.tectonic_container_linux_version}"
@@ -50,7 +51,7 @@ data "ignition_user" "core" {
   name = "core"
 
   ssh_authorized_keys = [
-    "${var.tectonic_libvirt_ssh_key}",
+    "${var.tectonic_admin_ssh_key}",
   ]
 }
 
diff --git a/steps/etcd/aws/etcd.tf b/steps/etcd/aws/etcd.tf
index a5d00792864..3d5b65c23e5 100644
--- a/steps/etcd/aws/etcd.tf
+++ b/steps/etcd/aws/etcd.tf
@@ -64,7 +64,6 @@ module "etcd" {
   root_volume_type        = "${var.tectonic_aws_etcd_root_volume_type}"
   s3_bucket               = "${local.s3_bucket}"
   sg_ids                  = "${concat(var.tectonic_aws_etcd_extra_sg_ids, list(local.sg_id))}"
-  ssh_key                 = "${var.tectonic_aws_ssh_key}"
   subnets                 = ["${local.subnet_ids_workers}"]
   etcd_iam_role           = "${var.tectonic_aws_etcd_iam_role_name}"
   ec2_ami                 = "${var.tectonic_aws_ec2_ami_override}"
diff --git a/steps/etcd/libvirt/main.tf b/steps/etcd/libvirt/main.tf
index de5b7907f04..b012a1deb85 100644
--- a/steps/etcd/libvirt/main.tf
+++ b/steps/etcd/libvirt/main.tf
@@ -1,5 +1,5 @@
 provider "libvirt" {
-  uri = "qemu:///system" #XXX fixme
+  uri = "${var.tectonic_libvirt_uri}"
 }
 
 module "defaults" {
diff --git a/steps/joining_workers/aws/workers.tf b/steps/joining_workers/aws/workers.tf
index b391f8bc0c5..7e0ceba33ab 100644
--- a/steps/joining_workers/aws/workers.tf
+++ b/steps/joining_workers/aws/workers.tf
@@ -33,7 +33,6 @@ module "workers" {
   root_volume_size             = "${var.tectonic_aws_worker_root_volume_size}"
   root_volume_type             = "${var.tectonic_aws_worker_root_volume_type}"
   sg_ids                       = "${concat(var.tectonic_aws_worker_extra_sg_ids, list(local.sg_id))}"
-  ssh_key                      = "${var.tectonic_aws_ssh_key}"
   subnet_ids                   = "${local.subnet_ids}"
   worker_iam_role              = "${var.tectonic_aws_worker_iam_role_name}"
   ec2_ami                      = "${var.tectonic_aws_ec2_ami_override}"
diff --git a/steps/joining_workers/libvirt/workers.tf b/steps/joining_workers/libvirt/workers.tf
index d83b337181f..aed41901890 100644
--- a/steps/joining_workers/libvirt/workers.tf
+++ b/steps/joining_workers/libvirt/workers.tf
@@ -1,5 +1,5 @@
 provider "libvirt" {
-  uri = "qemu:///system"
+  uri = "${var.tectonic_libvirt_uri}"
 }
 
 resource "libvirt_volume" "worker" {
diff --git a/steps/masters/aws/main.tf b/steps/masters/aws/main.tf
index ecd699ca8ad..d04b852d3ce 100644
--- a/steps/masters/aws/main.tf
+++ b/steps/masters/aws/main.tf
@@ -43,7 +43,6 @@ module "masters" {
   root_volume_iops             = "${var.tectonic_aws_master_root_volume_iops}"
   root_volume_size             = "${var.tectonic_aws_master_root_volume_size}"
   root_volume_type             = "${var.tectonic_aws_master_root_volume_type}"
-  ssh_key                      = "${var.tectonic_aws_ssh_key}"
   subnet_ids                   = "${local.subnet_ids}"
   ec2_ami                      = "${var.tectonic_aws_ec2_ami_override}"
   user_data_ign                = "${file("${path.cwd}/${var.tectonic_ignition_master}")}"
diff --git a/steps/masters/libvirt/main.tf b/steps/masters/libvirt/main.tf
index cb0220aa51c..305fa7ea6d0 100644
--- a/steps/masters/libvirt/main.tf
+++ b/steps/masters/libvirt/main.tf
@@ -1,5 +1,5 @@
 provider "libvirt" {
-  uri = "qemu:///system"
+  uri = "${var.tectonic_libvirt_uri}"
 }
 
 locals {
diff --git a/steps/tnc_dns/libvirt/main.tf b/steps/tnc_dns/libvirt/main.tf
index b01e00e27bc..1de3dc19671 100644
--- a/steps/tnc_dns/libvirt/main.tf
+++ b/steps/tnc_dns/libvirt/main.tf
@@ -1,6 +1,6 @@
 # Sets up the libvirt domain name
 resource "null_resource" "tnc_dns" {
   provisioner "local-exec" {
-    command = "virsh -c qemu:///system net-update ${var.tectonic_libvirt_network_name} add dns-host \"<host ip='${var.tectonic_libvirt_master_ips[0]}'><hostname>${var.tectonic_cluster_name}-api</hostname><hostname>${var.tectonic_cluster_name}-tnc</hostname></host>\" --live --config"
+    command = "virsh -c ${var.tectonic_libvirt_uri} net-update ${var.tectonic_libvirt_network_name} add dns-host \"<host ip='${var.tectonic_libvirt_master_ips[0]}'><hostname>${var.tectonic_cluster_name}-api</hostname><hostname>${var.tectonic_cluster_name}-tnc</hostname></host>\" --live --config"
   }
 }
diff --git a/steps/topology/libvirt/main.tf b/steps/topology/libvirt/main.tf
index 9a5f1d6a155..1b2deb29523 100644
--- a/steps/topology/libvirt/main.tf
+++ b/steps/topology/libvirt/main.tf
@@ -1,5 +1,5 @@
 provider "libvirt" {
-  uri = "qemu:///system" #XXX fixme
+  uri = "${var.tectonic_libvirt_uri}"
 }
 
 # Create the bridge for libvirt
@@ -34,6 +34,6 @@ locals {
 # This is currently limited to the first worker, due to an issue with net-update, even though libvirt supports multiple a-records
 resource "null_resource" "console_dns" {
   provisioner "local-exec" {
-    command = "virsh -c qemu:///system net-update ${var.tectonic_libvirt_network_name} add dns-host \"<host ip='${local.first_worker_ip}'><hostname>${var.tectonic_cluster_name}</hostname></host>\" --live --config"
+    command = "virsh -c ${var.tectonic_libvirt_uri} net-update ${var.tectonic_libvirt_network_name} add dns-host \"<host ip='${local.first_worker_ip}'><hostname>${var.tectonic_cluster_name}</hostname></host>\" --live --config"
   }
 }
diff --git a/steps/variables-aws.tf b/steps/variables-aws.tf
index f998e13886f..9f8fe05e99d 100644
--- a/steps/variables-aws.tf
+++ b/steps/variables-aws.tf
@@ -15,11 +15,6 @@ EOF
   type = "string"
 }
 
-variable "tectonic_aws_ssh_key" {
-  type        = "string"
-  description = "Name of an SSH key located within the AWS region. Example: coreos-user."
-}
-
 variable "tectonic_aws_master_ec2_type" {
   type        = "string"
   description = "Instance size for the master node(s). Example: `t2.medium`."
diff --git a/steps/variables-libvirt.tf b/steps/variables-libvirt.tf
index bc0cf10a5b9..0a82983ec38 100644
--- a/steps/variables-libvirt.tf
+++ b/steps/variables-libvirt.tf
@@ -1,6 +1,6 @@
-variable "tectonic_libvirt_ssh_key" {
+variable "tectonic_libvirt_uri" {
   type        = "string"
-  description = "Contents of an SSH key to install for the core user"
+  description = "libvirt connection URI"
 }
 
 variable "tectonic_libvirt_network_name" {
diff --git a/tests/run.sh b/tests/run.sh
index 461c845d696..5d824a3360a 100755
--- a/tests/run.sh
+++ b/tests/run.sh
@@ -1,6 +1,8 @@
-#!/bin/bash -e
+#!/usr/bin/env bash
 #shellcheck disable=SC2155
 
+set -e
+
 # This should be executed from top-level directory not from `tests` directory
 # Script needs two variables to be set before execution
 # 1) LICENSE_PATH - path to tectonic license file
@@ -18,9 +20,8 @@ CLUSTER_NAME=$(echo "${PREFIX}-$(uuidgen -r | cut -c1-5)" | tr '[:upper:]' '[:lo
 exec &> >(tee -a "$CLUSTER_NAME.log")
 
 function destroy() {
-  echo -e "\\e[34m Exiting... Destroying Tectonic and cleaning SSH keys...\\e[0m"
+  echo -e "\\e[34m Exiting... Destroying Tectonic...\\e[0m"
   tectonic destroy --dir="${CLUSTER_NAME}"
-  aws ec2 delete-key-pair --key-name "${CLUSTER_NAME}"
   echo -e "\\e[36m Finished! Smoke test output:\\e[0m ${SMOKE_TEST_OUTPUT}"
   echo -e "\\e[34m So Long, and Thanks for All the Fish\\e[0m"
 }
@@ -66,13 +67,12 @@ export AWS_ACCESS_KEY_ID=$(echo  "${RES}" | jq --raw-output '.Credentials.Access
 export AWS_SESSION_TOKEN=$(echo "${RES}" | jq --raw-output '.Credentials.SessionToken')
 
 ### HANDLE SSH KEY ###
-echo -e "\\e[36m Uploading SSH key-pair to AWS...\\e[0m"
-if [ ! -f "$HOME/.ssh/id_rsa.pub" ]; then
+echo -e "\\e[36m Generating SSH key-pair...\\e[0m"
+if [ ! -f ~/.ssh/id_rsa.pub ]; then
   #shellcheck disable=SC2034
-  SSH=$(ssh-keygen -b 2048 -t rsa -f "${HOME}/.ssh/id_rsa" -N "" < /dev/zero)
+  SSH=$(ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -N "" < /dev/zero)
 fi
-aws ec2 import-key-pair --key-name "${CLUSTER_NAME}" --public-key-material "file://$HOME/.ssh/id_rsa.pub"
-export TF_VAR_tectonic_aws_ssh_key="${CLUSTER_NAME}"
+export TF_VAR_tectonic_admin_ssh_key="$(cat ~/.ssh/id_rsa.pub)"
 
 echo -e "\\e[36m Deploying Tectonic...\\e[0m"
 tectonic install --dir="${CLUSTER_NAME}"
diff --git a/tests/smoke/aws/README.md b/tests/smoke/aws/README.md
index a2e801d41a6..6bbcce2902f 100644
--- a/tests/smoke/aws/README.md
+++ b/tests/smoke/aws/README.md
@@ -20,8 +20,7 @@ To begin, verify that the following environment variables are set:
 
 - `AWS_PROFILE` or alternatively `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`: These credentials are used by Terraform to spawn clusters on AWS.
 - `TF_VAR_tectonic_pull_secret_path` and `TF_VAR_tectonic_license_path`: The local path to the pull secret and Tectonic license file.
-- `TF_VAR_tectonic_aws_ssh_key`: The AWS ssh key pair which enables ssh'ing into the created machines using the `core` user.
-  It must be present in AWS under "EC2 -> Network & Security -> Key Pairs".
+- (optional) `TF_VAR_tectonic_admin_ssh_key`: The SSH public key which enables SSHing into the created machines using the `core` user.
 - (optional) `BUILD_ID`: Any number >= 1. Based on this number the region will be selected of the deployed cluster.
   See the `REGIONS` variable under `smoke.sh` for details.
 - (optional) `BRANCH_NAME`: The local branch name used as an infix for cluster names.
@@ -33,7 +32,7 @@ export AWS_ACCESS_KEY_ID=AKIAIQ5TVFGQ7CKWD6IA
 export AWS_SECRET_ACCESS_KEY_ID=rtp62V7H/JDY3cNBAs5vA0coaTou/OQbqJk96Hws
 export TF_VAR_tectonic_license_path="/home/user/tectonic-license"
 export TF_VAR_tectonic_pull_secret_path="/home/user/coreos-inc/pull-secret"
-export TF_VAR_tectonic_aws_ssh_key="user"
+export TF_VAR_tectonic_admin_ssh_key="ssh-ed25519 AAAA..."
 ```
 
 ## Assume Role