diff --git a/services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml b/services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml
index 14e259f1..489f16fc 100644
--- a/services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml
+++ b/services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml
@@ -1,7 +1,8 @@
 # services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml
 # One-off job for sso/metis-ssh-keys-secret-ensure-1.
 # Purpose: ensure Vault path maintenance/metis-ssh-keys exists for Metis key injection.
-# Migration behavior: if Vault path is missing, seed from existing maintenance/metis-ssh-keys Kubernetes Secret.
+# Migration behavior: if Vault path is missing/incomplete, seed from existing maintenance/metis-ssh-keys Kubernetes Secret.
+# Legacy key names are read as fallback, but only ananke_* keys are written.
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -65,8 +66,9 @@ spec:
               if [ "${read_status}" = "200" ]; then
                 bastion_existing="$(jq -r '.data.data.bastion_pub // empty' /tmp/metis-ssh-read.json)"
                 brad_existing="$(jq -r '.data.data.brad_pub // empty' /tmp/metis-ssh-read.json)"
-                hecate_existing="$(jq -r '.data.data.hecate_tethys_pub // empty' /tmp/metis-ssh-read.json)"
-                if [ -n "${bastion_existing}" ] && [ -n "${brad_existing}" ] && [ -n "${hecate_existing}" ]; then
+                ananke_tethys_existing="$(jq -r '.data.data.ananke_tethys_pub // .data.data.hecate_tethys_pub // empty' /tmp/metis-ssh-read.json)"
+                ananke_db_existing="$(jq -r '.data.data.ananke_db_pub // .data.data.hecate_db_pub // empty' /tmp/metis-ssh-read.json)"
+                if [ -n "${bastion_existing}" ] && [ -n "${brad_existing}" ] && [ -n "${ananke_tethys_existing}" ] && [ -n "${ananke_db_existing}" ]; then
                   echo "Vault metis-ssh-keys already present"
                   exit 0
                 fi
@@ -78,9 +80,29 @@ spec:
 
               bastion_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.bastion_pub}' 2>/dev/null | base64 -d || true)"
               brad_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.brad_pub}' 2>/dev/null | base64 -d || true)"
-              hecate_tethys_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.hecate_tethys_pub}' 2>/dev/null | base64 -d || true)"
+              ananke_tethys_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.ananke_tethys_pub}' 2>/dev/null | base64 -d || true)"
+              if [ -z "${ananke_tethys_pub}" ]; then
+                ananke_tethys_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.hecate_tethys_pub}' 2>/dev/null | base64 -d || true)"
+              fi
+              ananke_db_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.ananke_db_pub}' 2>/dev/null | base64 -d || true)"
+              if [ -z "${ananke_db_pub}" ]; then
+                ananke_db_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.hecate_db_pub}' 2>/dev/null | base64 -d || true)"
+              fi
 
-              if [ -z "${bastion_pub}" ] || [ -z "${brad_pub}" ] || [ -z "${hecate_tethys_pub}" ]; then
+              if [ -z "${bastion_pub}" ] && [ -n "${bastion_existing:-}" ]; then
+                bastion_pub="${bastion_existing}"
+              fi
+              if [ -z "${brad_pub}" ] && [ -n "${brad_existing:-}" ]; then
+                brad_pub="${brad_existing}"
+              fi
+              if [ -z "${ananke_tethys_pub}" ] && [ -n "${ananke_tethys_existing:-}" ]; then
+                ananke_tethys_pub="${ananke_tethys_existing}"
+              fi
+              if [ -z "${ananke_db_pub}" ] && [ -n "${ananke_db_existing:-}" ]; then
+                ananke_db_pub="${ananke_db_existing}"
+              fi
+
+              if [ -z "${bastion_pub}" ] || [ -z "${brad_pub}" ] || [ -z "${ananke_tethys_pub}" ] || [ -z "${ananke_db_pub}" ]; then
                 echo "Cannot seed Vault metis-ssh-keys: maintenance/metis-ssh-keys missing required keys" >&2
                 exit 1
               fi
@@ -88,8 +110,9 @@ spec:
               payload="$(jq -nc \
                 --arg bastion_pub "${bastion_pub}" \
                 --arg brad_pub "${brad_pub}" \
-                --arg hecate_tethys_pub "${hecate_tethys_pub}" \
-                '{data:{bastion_pub:$bastion_pub,brad_pub:$brad_pub,hecate_tethys_pub:$hecate_tethys_pub}}')"
+                --arg ananke_tethys_pub "${ananke_tethys_pub}" \
+                --arg ananke_db_pub "${ananke_db_pub}" \
+                '{data:{bastion_pub:$bastion_pub,brad_pub:$brad_pub,ananke_tethys_pub:$ananke_tethys_pub,ananke_db_pub:$ananke_db_pub}}')"
               write_status="$(curl -sS -o /tmp/metis-ssh-write.json -w "%{http_code}" -X POST \
                 -H "X-Vault-Token: ${vault_token}" \
                 -H 'Content-Type: application/json' \
diff --git a/services/maintenance/metis-deployment.yaml b/services/maintenance/metis-deployment.yaml
index 8dd682a6..f72d965f 100644
--- a/services/maintenance/metis-deployment.yaml
+++ b/services/maintenance/metis-deployment.yaml
@@ -31,8 +31,8 @@ spec:
         vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
           {{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
           export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
-          export METIS_SSH_KEY_ANANKE_TETHYS="{{ or .Data.data.ananke_tethys_pub "" }}"
-          export METIS_SSH_KEY_ANANKE_DB="{{ or .Data.data.ananke_db_pub "" }}"
+          export METIS_SSH_KEY_ANANKE_TETHYS="{{ or .Data.data.ananke_tethys_pub .Data.data.hecate_tethys_pub "" }}"
+          export METIS_SSH_KEY_ANANKE_DB="{{ or .Data.data.ananke_db_pub .Data.data.hecate_db_pub "" }}"
           {{ end }}
     spec:
       serviceAccountName: metis