diff --git a/pishrink.sh b/pishrink.sh
index c7b1fb3..f08c447 100755
--- a/pishrink.sh
+++ b/pishrink.sh
@@ -316,7 +316,38 @@ if [[ $prep == true ]]; then
   info "Syspreping: Removing logs, apt archives, dhcp leases and ssh hostkeys"
   mountdir=$(mktemp -d)
   mount "$loopback" "$mountdir"
-  rm -rvf $mountdir/var/cache/apt/archives/* $mountdir/var/lib/dhcpcd5/* $mountdir/var/log/* $mountdir/var/tmp/* $mountdir/tmp/* $mountdir/etc/ssh/*_host_*
+  rm -rvf $mountdir/var/cache/apt/archives/* $mountdir/var/lib/dhcpcd5/* $mountdir/var/log/* $mountdir/var/tmp/* $mountdir/tmp/*
+  #check if openssh is enabled
+  if [[ -f "$mountdir/etc/systemd/system/multi-user.target.wants/ssh.service" ]]; then
+    if [[ -f "$mountdir/lib/systemd/system/regenerate_ssh_host_keys.service" ]] && [[ -d "$mountdir/etc/systemd/system/multi-user.target.wants" ]]; then
+      ln -s $mountdir/lib/systemd/system/regenerate_ssh_host_keys.service $mountdir/etc/systemd/system/multi-user.target.wants/regenerate_ssh_host_keys.service
+      info "host keys on disk remain but should regenerate on first boot."
+    else
+      #key regeneration relies on using the host to regenerate the keys
+      if ! command -v ssh-keygen &> /dev/null; then
+        info "WARNING: could not locate ssh-keygen command, keeping old keys"
+      else
+        if [ -c /dev/hwrng ]; then
+          dd if=/dev/hwrng of=/dev/urandom count=1 bs=4096 status=none
+        fi
+        rm -f $mountdir/etc/ssh/ssh_host_*_key*
+        info "regenerating ssh host keys"
+        ssh-keygen -A -f $mountdir > /dev/null
+      fi
+    fi
+  #check if dropbear is enabled
+  elif [[ -f "$mountdir/etc/init.d/dropbear" ]]; then
+    #key regeneration relies on using the host to regenerate the keys
+    if ! command -v dropbearkey &> /dev/null; then
+      info "WARNING: could not locate dropbearkey command, keeping old keys"
+    else
+      rm -f $mountdir/etc/dropbear/dropbear_*_host_key
+      info "regenerating dropbear keys"
+      dropbearkey -t rsa -f $mountdir/etc/dropbear/dropbear_rsa_host_key > /dev/null
+      dropbearkey -t ecdsa -f $mountdir/etc/dropbear/dropbear_ecdsa_host_key > /dev/null
+      dropbearkey -t ed25519 -f $mountdir/etc/dropbear/dropbear_ed25519_host_key > /dev/null 
+    fi
+  fi
   umount "$mountdir"
 fi