diff --git a/src/blobs.js b/src/blobs.js
index 5e0aaca6a..76036914c 100644
--- a/src/blobs.js
+++ b/src/blobs.js
@@ -80,16 +80,16 @@ async function initSecrets() {
     if (!sftpPrivateKey || !sftpPublicKey) {
         debug('initSecrets: generate sftp keys');
         if (constants.TEST) {
-            safe.fs.unlinkSync(`${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key.pub`);
-            safe.fs.unlinkSync(`${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key`);
+            safe.fs.unlinkSync(paths.SFTP_PUBLIC_KEY_FILE);
+            safe.fs.unlinkSync(paths.SFTP_PRIVATE_KEY_FILE);
         }
         if (!safe.child_process.execSync(`ssh-keygen -m PEM -t rsa -f "${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key" -q -N ""`)) throw new BoxError(BoxError.OPENSSL_ERROR, `Could not generate sftp ssh keys: ${safe.error.message}`);
-        sftpPublicKey = safe.fs.readFileSync(`${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key.pub`);
+        sftpPublicKey = safe.fs.readFileSync(paths.SFTP_PUBLIC_KEY_FILE);
         await set(exports.SFTP_PUBLIC_KEY, sftpPublicKey);
-        sftpPrivateKey = safe.fs.readFileSync(`${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key`);
+        sftpPrivateKey = safe.fs.readFileSync(paths.SFTP_PRIVATE_KEY_FILE);
         await set(exports.SFTP_PRIVATE_KEY, sftpPrivateKey);
-    } else if (!safe.fs.existsSync(paths.SFTP_PUBLIC_KEY) || !safe.fs.existsSync(paths.SFTP_PRIVATE_KEY)) {
-        if (!safe.fs.writeFileSync(paths.SFTP_PUBLIC_KEY, sftpPublicKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp public key: ${safe.error.message}`);
-        if (!safe.fs.writeFileSync(paths.SFTP_PRIVATE_KEY, sftpPrivateKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp private key: ${safe.error.message}`);
+    } else if (!safe.fs.existsSync(paths.SFTP_PUBLIC_KEY_FILE) || !safe.fs.existsSync(paths.SFTP_PRIVATE_KEY_FILE)) {
+        if (!safe.fs.writeFileSync(paths.SFTP_PUBLIC_KEY_FILE, sftpPublicKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp public key: ${safe.error.message}`);
+        if (!safe.fs.writeFileSync(paths.SFTP_PRIVATE_KEY_FILE, sftpPrivateKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp private key: ${safe.error.message}`);
     }
 }
diff --git a/src/paths.js b/src/paths.js
index 56a7dc6d7..7268194f0 100644
--- a/src/paths.js
+++ b/src/paths.js
@@ -42,6 +42,8 @@ exports = module.exports = {
     PROXY_AUTH_TOKEN_SECRET_FILE: path.join(baseDir(), 'platformdata/proxy-auth-token-secret'),
     VERSION_FILE: path.join(baseDir(), 'platformdata/VERSION'),
     SFTP_KEYS_DIR: path.join(baseDir(), 'platformdata/sftp/ssh'),
+    SFTP_PUBLIC_KEY_FILE: path.join(baseDir(), 'platformdata/sftp/ssh/ssh_host_rsa_key.pub'),
+    SFTP_PRIVATE_KEY_FILE: path.join(baseDir(), 'platformdata/sftp/ssh/ssh_host_rsa_key'),
 
     // this is not part of appdata because an icon may be set before install
     MAIL_DATA_DIR: path.join(baseDir(), 'boxdata/mail'),