diff --git a/pkg/bastion/ssh.go b/pkg/bastion/ssh.go
index 540276f..f99b486 100644
--- a/pkg/bastion/ssh.go
+++ b/pkg/bastion/ssh.go
@@ -190,6 +190,9 @@ func ChannelHandler(srv *ssh.Server, conn *gossh.ServerConn, newChan gossh.NewCh
 func bastionClientConfig(ctx ssh.Context, host *dbmodels.Host) (*gossh.ClientConfig, error) {
 	actx := ctx.Value(authContextKey).(*authContext)
 
+	crypto.HostDecrypt(actx.aesKey, host)
+	crypto.SSHKeyDecrypt(actx.aesKey, host.SSHKey)
+	
 	clientConfig, err := host.ClientConfig(dynamicHostKey(actx.db, host))
 	if err != nil {
 		return nil, err
@@ -208,9 +211,6 @@ func bastionClientConfig(ctx ssh.Context, host *dbmodels.Host) (*gossh.ClientCon
 		return nil, err2
 	}
 
-	crypto.HostDecrypt(actx.aesKey, host)
-	crypto.SSHKeyDecrypt(actx.aesKey, host.SSHKey)
-
 	switch action {
 	case string(dbmodels.ACLActionAllow):
 	case string(dbmodels.ACLActionDeny):