diff --git a/cmd/tk/create_source_git.go b/cmd/tk/create_source_git.go
index 694e0842..929f39f3 100644
--- a/cmd/tk/create_source_git.go
+++ b/cmd/tk/create_source_git.go
@@ -19,7 +19,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	"github.com/fluxcd/toolkit/internal/ssh"
+	"github.com/fluxcd/toolkit/pkg/ssh"
 )
 
 var createSourceGitCmd = &cobra.Command{
diff --git a/internal/ssh/host_scan.go b/pkg/ssh/host_scan.go
similarity index 81%
rename from internal/ssh/host_scan.go
rename to pkg/ssh/host_scan.go
index 85d6720c..61844608 100644
--- a/internal/ssh/host_scan.go
+++ b/pkg/ssh/host_scan.go
@@ -9,6 +9,10 @@ import (
 	"golang.org/x/crypto/ssh/knownhosts"
 )
 
+// ScanHostKey collects the given host's preferred public key for the
+// algorithm of the given key pair. Any errors (e.g. authentication
+// failures) are ignored, except if no key could be collected from the
+// host.
 func ScanHostKey(host string, user string, pair *KeyPair) ([]byte, error) {
 	signer, err := ssh.ParsePrivateKey(pair.PrivateKey)
 	if err != nil {
diff --git a/internal/ssh/key_pair.go b/pkg/ssh/key_pair.go
similarity index 69%
rename from internal/ssh/key_pair.go
rename to pkg/ssh/key_pair.go
index f251c18c..bad4bf2e 100644
--- a/internal/ssh/key_pair.go
+++ b/pkg/ssh/key_pair.go
@@ -11,6 +11,7 @@ import (
 	"golang.org/x/crypto/ssh"
 )
 
+// KeyPair holds the public and private key PEM block bytes.
 type KeyPair struct {
 	PublicKey  []byte
 	PrivateKey []byte
@@ -41,9 +42,13 @@ func (g *RSAGenerator) Generate() (*KeyPair, error) {
 	if err != nil {
 		return nil, err
 	}
+	priv, err := encodePrivateKeyToPEM(pk)
+	if err != nil {
+		return nil, err
+	}
 	return &KeyPair{
 		PublicKey:  pub,
-		PrivateKey: encodePrivateKeyToPEM(pk),
+		PrivateKey: priv,
 	}, nil
 }
 
@@ -64,9 +69,13 @@ func (g *ECDSAGenerator) Generate() (*KeyPair, error) {
 	if err != nil {
 		return nil, err
 	}
+	priv, err := encodePrivateKeyToPEM(pk)
+	if err != nil {
+		return nil, err
+	}
 	return &KeyPair{
 		PublicKey:  pub,
-		PrivateKey: encodePrivateKeyToPEM(pk),
+		PrivateKey: priv,
 	}, nil
 }
 
@@ -79,11 +88,17 @@ func generatePublicKey(pk interface{}) ([]byte, error) {
 	return k, nil
 }
 
-func encodePrivateKeyToPEM(pk interface{}) []byte {
-	b, _ := x509.MarshalPKCS8PrivateKey(pk)
+// encodePrivateKeyToPEM encodes the given private key to a PEM block.
+// The encoded format is PKCS#8 for universal support of the most
+// common key types (rsa, ecdsa, ed25519).
+func encodePrivateKeyToPEM(pk interface{}) ([]byte, error) {
+	b, err := x509.MarshalPKCS8PrivateKey(pk)
+	if err != nil {
+		return nil, err
+	}
 	block := pem.Block{
 		Type:  "PRIVATE KEY",
 		Bytes: b,
 	}
-	return pem.EncodeToMemory(&block)
+	return pem.EncodeToMemory(&block), nil
 }