diff --git a/internal/api/config_handlers.go b/internal/api/config_handlers.go
index bdb9a2109..0bcb2b5b8 100644
--- a/internal/api/config_handlers.go
+++ b/internal/api/config_handlers.go
@@ -3616,6 +3616,28 @@ if command -v pct >/dev/null 2>&1 && [ "$TEMPERATURE_ENABLED" = true ]; then
                 if "$PROXY_INSTALLER" --ctid "$PULSE_CTID" 2>&1; then
                     echo ""
                     echo "✓ pulse-sensor-proxy installed successfully"
+                    echo ""
+
+                    # Clean up old container-based SSH keys from nodes
+                    echo "Cleaning up legacy SSH keys from cluster nodes..."
+                    CLEANUP_NODES=""
+                    if [ "$TEMPERATURE_ENABLED" = true ]; then
+                        CLEANUP_NODES="$(hostname)"
+                    fi
+                    if [ -n "${OTHER_NODES_LIST+x}" ] && [ ${#OTHER_NODES_LIST[@]} -gt 0 ]; then
+                        CLEANUP_NODES="$CLEANUP_NODES ${OTHER_NODES_LIST[*]}"
+                    fi
+
+                    for NODE in $CLEANUP_NODES; do
+                        if [ -n "$NODE" ] && [ -n "$SSH_PUBLIC_KEY" ]; then
+                            # Remove the old pulse@ keys (but not pulse-sensor-proxy keys)
+                            ssh -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 -o LogLevel=ERROR \
+                                root@"$NODE" \
+                                "sed -i '/$SSH_PUBLIC_KEY/d' /root/.ssh/authorized_keys 2>/dev/null || true" \
+                                >/dev/null 2>&1 && echo "  ✓ Cleaned up legacy key on $NODE" || true
+                        fi
+                    done
+
                     echo ""
                     echo "Temperature monitoring will now use the secure proxy architecture."
                     echo "SSH keys are stored on the host, not inside the container."
diff --git a/scripts/install-sensor-proxy.sh b/scripts/install-sensor-proxy.sh
index 33b2f42ce..9f83015b2 100755
--- a/scripts/install-sensor-proxy.sh
+++ b/scripts/install-sensor-proxy.sh
@@ -281,6 +281,26 @@ else
     exit 1
 fi
 
+# Check for and remove legacy SSH keys from container
+print_info "Checking for legacy SSH keys in container..."
+LEGACY_KEYS_FOUND=false
+for key_type in id_rsa id_dsa id_ecdsa id_ed25519; do
+    if pct exec "$CTID" -- test -f "/root/.ssh/$key_type" 2>/dev/null; then
+        LEGACY_KEYS_FOUND=true
+        print_warn "Found legacy SSH key: /root/.ssh/$key_type"
+        pct exec "$CTID" -- rm -f "/root/.ssh/$key_type" "/root/.ssh/${key_type}.pub"
+        print_info "  Removed /root/.ssh/$key_type (proxy will handle SSH)"
+    fi
+done
+
+if [ "$LEGACY_KEYS_FOUND" = true ]; then
+    print_info ""
+    print_info "${YELLOW}Legacy SSH keys removed from container${NC}"
+    print_info "The proxy on the host now handles all SSH connections"
+    print_info "This improves security by keeping keys outside the container"
+    print_info ""
+fi
+
 print_info "${GREEN}Installation complete!${NC}"
 print_info ""
 print_info "Temperature monitoring will now use the secure host-side proxy"