diff --git a/buildserver/Vagrantfile b/buildserver/Vagrantfile
index 5a420b62..57509ffe 100644
--- a/buildserver/Vagrantfile
+++ b/buildserver/Vagrantfile
@@ -77,6 +77,8 @@ Vagrant.configure("2") do |config|
       owner: 'root', group: 'root', create: true
   end
 
+  config.vm.provision "shell", name: "vagrant-insecure-private-key",
+    path: "provision-vagrant-insecure-private-key"
   config.vm.provision "shell", name: "setup-env-vars", path: "setup-env-vars",
     args: ["/opt/android-sdk"]
   config.vm.provision "shell", name: "apt-get-install", path: "provision-apt-get-install",
diff --git a/buildserver/provision-vagrant-insecure-private-key b/buildserver/provision-vagrant-insecure-private-key
new file mode 100755
index 00000000..b6ed681e
--- /dev/null
+++ b/buildserver/provision-vagrant-insecure-private-key
@@ -0,0 +1,17 @@
+#!/bin/bash -e
+#
+# Vagrant uses the "insecure private key" to establish the first SSH
+# connection to a new VM based on a clean public box.  In theory, the
+# `vagrant package` command should do that automatically.  This
+# process is still using custom code instead of `vagrant package`,
+# hence this script.
+#
+# https://gitlab.com/fdroid/fdroid-bootstrap-buildserver/-/issues/12
+# https://www.vagrantup.com/docs/vagrantfile/ssh_settings#config-ssh-private_key_path
+#
+# This public key can be generated using:
+#   ssh-keygen -y -f  ~/.vagrant.d/insecure_private_key
+
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== ~/.vagrant.d/insecure_private_key" > /home/vagrant/.ssh/authorized_keys
+chown vagrant:vagrant /home/vagrant/.ssh/authorized_keys
+chmod 600 /home/vagrant/.ssh/authorized_keys