diff --git a/home.admin/_bootstrap.sh b/home.admin/_bootstrap.sh
index 58848b6dc..a2fe20c5c 100755
--- a/home.admin/_bootstrap.sh
+++ b/home.admin/_bootstrap.sh
@@ -94,10 +94,8 @@ sudo chmod 777 ${infoFile}
 ######################################
 # CHECK SD CARD INCONSISTENT STATE
 
-# make sure SSH server certs are configured & sshd is running
-sudo systemctl stop sshd
-sudo dpkg-reconfigure openssh-server
-sudo systemctl start sshd
+# make sure SSH server is configured & running
+sudo /home/admin/config.scripts/blitz.ssh.sh checkrepair
 
 # when the provision did not ran thru without error (ask user for fresh sd card)
 provisionFlagExists=$(sudo ls /home/admin/provision.flag | grep -c 'provision.flag')
@@ -175,10 +173,7 @@ if [ ${sshReset} -eq 1 ]; then
   sudo rm /boot/ssh.reset* >> $logFile
   # delete ssh certs
   echo "SSHRESET switch found ... stopping SSH and deleting old certs" >> $logFile
-  sudo systemctl stop sshd >> $logFile
-  sudo rm /etc/ssh/ssh_host_*
-  sudo rm /mnt/hdd/ssh/ssh_host* >> $logFile
-  sudo ssh-keygen -A >> $logFile
+  sudo /home/admin/config.scripts/blitz.ssh.sh renew
   systemInitReboot=1
   sed -i "s/^message=.*/message='SSHRESET'/g" ${infoFile}
 else
@@ -409,9 +404,7 @@ if [ ${isMounted} -eq 0 ]; then
 
     # INIT OLD SSH HOST KEYS on Update/Recovery to prevent "Unknown Host" on ssh client
     echo "COPY und Activating old SSH host keys" >> $logFile
-    sudo cp -r /mnt/hdd/ssh/* /etc/ssh/ >> ${logFile} 2>&1
-    sudo systemctl restart sshd
-    sudo dpkg-reconfigure openssh-server
+    sudo /home/admin/config.scripts/blitz.ssh.sh restore
 
     # determine if this is a recovery or an update
     # TODO: improve version/update detetion later
diff --git a/home.admin/_provision.setup.sh b/home.admin/_provision.setup.sh
index 6a5a46c07..a97639b67 100755
--- a/home.admin/_provision.setup.sh
+++ b/home.admin/_provision.setup.sh
@@ -32,10 +32,7 @@ sudo sed -i "s/^message=.*/message='Provision Setup'/g" ${infoFile}
 sudo sed -i "s/^message=.*/message='SSH Keys'/g" ${infoFile}
 
 # link ssh directory from SD card to HDD
-echo "# --> SSH key settings" >> ${logFile}
-echo "# copying SSH pub keys to HDD" >> ${logFile}
-sudo cp -r /etc/ssh /mnt/hdd/ssh >> ${logFile}
-echo "# OK" >> ${logFile}
+sudo /home/admin/config.scripts/blitz.ssh.sh backup
 
 ###################################
 # Prepare Blockchain Service
diff --git a/home.admin/_provision_.sh b/home.admin/_provision_.sh
index baa228f87..9e9e51e1a 100755
--- a/home.admin/_provision_.sh
+++ b/home.admin/_provision_.sh
@@ -111,20 +111,8 @@ sudo usermod -a -G debian-tor bitcoin
 echo "Setting lightning alias: ${hostname}" >> ${logFile}
 sudo sed -i "s/^alias=.*/alias=${hostname}/g" /home/admin/assets/lnd.${network}.conf >> ${logFile} 2>&1
 
-# link old SSH PubKeys
-# so that client ssh_known_hosts is not complaining after update
-if [ -d "/mnt/hdd/ssh" ]; then
-  echo "Old SSH PubKey exists on HDD > copy them HDD to SD card for next start" >> ${logFile}
-  sudo cp -r /mnt/hdd/ssh/* /etc/ssh/ >> ${logFile} 2>&1
-else
-  echo "No SSH PubKey exists on HDD > copy from SD card to HDD as backup" >> ${logFile}
-  sudo cp -r /etc/ssh /mnt/hdd/ssh >> ${logFile} 2>&1
-fi
-# just copy - dont link anymore so that sshd will also start without HDD connected
-# see: https://github.com/rootzoll/raspiblitz/issues/1798
-#sudo rm -rf /etc/ssh >> ${logFile} 2>&1
-#sudo ln -s /mnt/hdd/ssh /etc/ssh >> ${logFile} 2>&1
-#sudo /home/admin/config.scripts/blitz.systemd.sh update-sshd >> ${logFile} 2>&1
+# backup SSH PubKeys
+sudo /home/admin/config.scripts/blitz.ssh.sh backup
 
 # optimze mempool if RAM >1GB
 kbSizeRAM=$(cat /proc/meminfo | grep "MemTotal" | sed 's/[^0-9]*//g')
@@ -461,17 +449,6 @@ else
     echo "Provisioning chantools - keep default" >> ${logFile}
 fi
 
-# ROOT SSH KEYS
-# check if a backup on HDD exists – if so, restore it
-backupRootSSH=$(sudo ls /mnt/hdd/ssh/root_backup 2>/dev/null | grep -c "id_rsa")
-if [ ${backupRootSSH} -gt 0 ]; then
-    echo "Provisioning Root SSH Keys - RESTORING from HDD" >> ${logFile}
-    sudo cp -r /mnt/hdd/ssh/root_backup /root/.ssh
-    sudo chown -R root:root /root/.ssh
-else
-    echo "Provisioning Root SSH Keys - keep default" >> ${logFile}
-fi
-
 # SSH TUNNEL
 if [ "${#sshtunnel}" -gt 0 ]; then
     echo "Provisioning SSH Tunnel - run config script" >> ${logFile}
diff --git a/home.admin/config.scripts/blitz.ssh.sh b/home.admin/config.scripts/blitz.ssh.sh
new file mode 100755
index 000000000..1cc8f55fa
--- /dev/null
+++ b/home.admin/config.scripts/blitz.ssh.sh
@@ -0,0 +1,134 @@
+#!/usr/bin/env bash
+
+# command info
+if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$1" = "-help" ]; then
+  echo "RaspiBlitz SSH tools"
+  echo "blitz.ssh.sh renew --> renew the sshd host certs"
+  echo "blitz.ssh.sh clear --> make sure old sshd host certs are cleared"
+  echo "blitz.ssh.sh checkrepair --> check sshd & repair just in case"
+  echo "blitz.ssh.sh backup --> copy ssh keys to backup (if exist)"
+  echo "blitz.ssh.sh restore --> restore ssh keys from backup (if exist)"
+  exit 1
+fi
+
+DEFAULTBACKUPBASEDIR="/mnt/hdd" # compiles to /mnt/hdd/ssh
+
+# check if started with sudo
+if [ "$EUID" -ne 0 ]; then 
+  echo "error='missing sudo'"
+  exit 1
+fi
+
+###################
+# RENEW
+###################
+if [ "$1" = "renew" ]; then
+  echo "# *** blitz.ssh.sh renew"
+  sudo systemctl stop sshd
+  sudo rm /etc/ssh/ssh_host_*
+  sudo ssh-keygen -A
+  sudo dpkg-reconfigure openssh-server
+  sudo rm -r $DEFAULTBACKUPBASEDIR/ssh 2>/dev/null # delete backups if exist
+  sudo cp -r /etc/ssh $DEFAULTBACKUPBASEDIR/ssh 2>/dev/null # copy to backups if exist
+  sudo systemctl start sshd
+  exit 0
+fi
+
+###################
+# CLEAR
+###################
+if [ "$1" = "clear" ]; then
+  echo "# *** blitz.ssh.sh clear"
+  sudo rm /etc/ssh/ssh_host_*
+  sudo rm $DEFAULTBACKUPBASEDIR/ssh/ssh_host* 2>/dev/null
+  echo "# OK: SSHD keyfiles & possible backups deleted"
+  exit 0
+fi
+
+###################
+# CHECK & REPAIR
+###################
+if [ "$1" = "checkrepair" ]; then
+  echo "# *** blitz.ssh.sh checkrepair"
+
+  # check if sshd host keys are missing / need generation
+  countKeyFiles=$(sudo ls -la /etc/ssh/ssh_host_* 2>/dev/null | grep -c "/etc/ssh/ssh_host")
+  echo "# countKeyFiles(${countKeyFiles})"
+  if [ ${countKeyFiles} -lt 8 ]; then
+    echo "# DETECTED: MISSING SSHD KEYFILES --> Generating new ones"
+    sudo systemctl stop sshd
+    sudo ssh-keygen -A
+    sudo systemctl start sshd
+    sudo rm -r DEFAULTBACKUPBASEDIR/ssh 2>/dev/null # delete backups if exist
+    sudo cp -r /etc/ssh DEFAULTBACKUPBASEDIR/ssh 2>/dev/null # copy to backups if exist
+    sleep 3
+  fi
+
+  # check if SSHD service is NOT running & active
+  sshdRunning=$(sudo systemctl status sshd | grep -c "active (running)")
+  if [ ${sshdRunning} -eq 0 ]; then
+    echo "# DETECTED: SSHD NOT RUNNING --> Try reconfigure & kickstart again"
+    sudo dpkg-reconfigure openssh-server
+    sudo systemctl restart sshd
+    sleep 3
+  fi
+
+  # check that SSHD service is running & active
+  sshdRunning=$(sudo systemctl status sshd | grep -c "active (running)")
+  if [ ${sshdRunning} -eq 1 ]; then
+    echo "# OK: SSHD RUNNING"
+  fi
+
+  exit 0
+fi
+
+###################
+# BACKUP
+###################
+if [ "$1" = "backup" ]; then
+  echo "# *** blitz.ssh.sh backup"
+    echo "# backup dir: ${DEFAULTBACKUPBASEDIR}/ssh"
+
+    # backup sshd host keys
+    sudo rm -r $DEFAULTBACKUPBASEDIR/ssh 2>/dev/null # delete backups if exist
+    sudo cp -r /etc/ssh $DEFAULTBACKUPBASEDIR/ssh 2>/dev/null # copy to backups if exist
+
+    # backup root use ssh keys
+    sudo rm -r $DEFAULTBACKUPBASEDIR/ssh/root_backup 2>/dev/null
+    sudo cp -r /root/.ssh $DEFAULTBACKUPBASEDIR/ssh/root_backup 2>/dev/null
+
+    if [ -d "${DEFAULTBACKUPBASEDIR}/ssh" ]; then
+      echo "# OK - ssh keys backup done"
+    else
+      echo "error='ssh keys backup failed - backup location may not exist'"
+    fi
+  exit 0
+fi
+
+###################
+# RESTORE
+###################
+if [ "$1" = "restore" ]; then
+  echo "# *** blitz.ssh.sh restore"
+    echo "# backup dir: ${DEFAULTBACKUPBASEDIR}/ssh"
+    if [ -d "${DEFAULTBACKUPBASEDIR}/ssh" ]; then
+
+      # restore sshd host keys
+      sudo cp -r $DEFAULTBACKUPBASEDIR/ssh/* /etc/ssh/
+      sudo chown -R root:root /etc/ssh
+      sudo dpkg-reconfigure openssh-server
+      sudo systemctl restart sshd
+
+      # restore root use keys
+      sudo cp -r $DEFAULTBACKUPBASEDIR/ssh/root_backup /root/.ssh
+      sudo chown -R root:root /root/.ssh
+
+      echo "# OK - ssh keys restore done"
+    else
+      echo "error='ssh keys backup not found'"
+    fi
+  exit 0
+fi
+
+echo "error='unknown parameter'"
+exit 1
diff --git a/home.admin/config.scripts/internet.sshtunnel.py b/home.admin/config.scripts/internet.sshtunnel.py
index ebb734d4a..d234d1534 100755
--- a/home.admin/config.scripts/internet.sshtunnel.py
+++ b/home.admin/config.scripts/internet.sshtunnel.py
@@ -168,7 +168,7 @@ def on(restore_on_update=False):
 
     # copy SSH keys for backup (for update with new sd card)
     print("making backup copy of SSH keys")
-    subprocess.call("sudo cp -r /root/.ssh /mnt/hdd/ssh/root_backup", shell=True)
+    subprocess.call("sudo /home/admin/config.scripts/blitz.ssh.sh backup", shell=True)
     print("DONE")
 
     # write ssh tunnel data to raspiblitz config (for update with new sd card)