diff --git a/components/ssh/include/ssh/common.h b/components/ssh/include/ssh/common.h
index d23d4fa..88278ab 100644
--- a/components/ssh/include/ssh/common.h
+++ b/components/ssh/include/ssh/common.h
@@ -17,6 +17,7 @@ namespace SSH
   {
     None = 0,
     MalformedKey,
+    UnexpectedKey,
     Unsupported,
     InvalidState,
     Internal,
diff --git a/components/ssh/include/ssh/keys.h b/components/ssh/include/ssh/keys.h
index 6ecc181..c895a17 100644
--- a/components/ssh/include/ssh/keys.h
+++ b/components/ssh/include/ssh/keys.h
@@ -24,6 +24,7 @@ namespace SSH
     Error Generate(KeyType keyType, uint32_t bits);
 
     Error Wrap(ssh_key keyPtr);
+    Error Own(ssh_key keyPtr);
     Error Load(const std::string& blob, const std::string& passphrase = std::string());
     std::expected<std::string, Error> Marshal(const std::string& passphrase = std::string()) const;
 
diff --git a/components/ssh/src/keys.cc b/components/ssh/src/keys.cc
index 12888b8..fff2ada 100644
--- a/components/ssh/src/keys.cc
+++ b/components/ssh/src/keys.cc
@@ -94,6 +94,12 @@ Error PrivateKey::Load(const std::string& blob, const std::string& passphrase)
     return Error::MalformedKey;
   }
 
+  rc = ssh_key_is_private(keyPtr);
+  if (rc != 1) {
+    ESP_LOGE(TAG, "tries to load not a priv key into priv key");
+    return Error::UnexpectedKey;
+  };
+
   ssh_keytypes_e targetType = ssh_key_type(keyPtr);
   this->keyType = sshKeyType(targetType);
   if (this->keyType == KeyType::None) {
@@ -112,6 +118,11 @@ Error PrivateKey::Wrap(ssh_key keyPtr)
     return Error::InvalidState;
   }
 
+  return Own(keyPtr);
+}
+
+Error PrivateKey::Own(ssh_key keyPtr)
+{
   ssh_keytypes_e targetType = ssh_key_type(keyPtr);
   this->keyType = sshKeyType(targetType);
   if (this->keyType == KeyType::None) {
@@ -119,6 +130,11 @@ Error PrivateKey::Wrap(ssh_key keyPtr)
     return Error::Unsupported;
   }
 
+  if (this->keyPtr != nullptr) {
+    ssh_key_free(this->keyPtr);
+    this->keyPtr = nullptr;
+  }
+
   this->keyPtr = keyPtr;
   return Error::None;
 }
diff --git a/main/secrets.cc b/main/secrets.cc
index e6dfd38..9571673 100644
--- a/main/secrets.cc
+++ b/main/secrets.cc
@@ -104,7 +104,7 @@ Error Secrets::Store()
       ESP_LOGE(TAG, "unable to store new secret key '%s': %d", SECRET_KEY_KEY, (int)err);
       return Error::InvalidSecretKey;
     }
-    ESP_LOGI(TAG, "host key stored in: %s",  SECRET_KEY_KEY);
+    ESP_LOGI(TAG, "secret key stored in: %s",  SECRET_KEY_KEY);
   } else {
     ESP_LOGW(TAG, "ignore empty secret key storing");
   }
@@ -144,12 +144,12 @@ Error Secrets::FromJson(const JsonObjectConst& obj) noexcept
 
   Blob::Bytes newSecretKey = Blob::Base64Decode(obj["secret_key"].as<std::string_view>());
   if (newSecretKey.empty()) {
-    ESP_LOGE(TAG, "unable to secret key");
+    ESP_LOGE(TAG, "unable to parse secret key");
     return Error::ShitHappens;
   }
 
-  this->hostKey = std::move(newHostKey);
-  this->secretKey = std::move(newSecretKey);
+  this->hostKey.Own(newHostKey.Copy());
+  this->secretKey = newSecretKey;
   return Error::None;
 }