Index: src/applications/drydock/blueprint/DrydockPreallocatedHostBlueprintImplementation.php
===================================================================
--- src/applications/drydock/blueprint/DrydockPreallocatedHostBlueprintImplementation.php
+++ src/applications/drydock/blueprint/DrydockPreallocatedHostBlueprintImplementation.php
@@ -41,12 +41,12 @@
     // we have all the information we need.
     PhutilTypeSpec::checkMap(
       $resource->getAttributesForTypeSpec(
-        array('platform', 'host', 'port', 'user', 'path')),
+        array('platform', 'host', 'port', 'credential', 'path')),
       array(
         'platform' => 'string',
         'host' => 'string',
         'port' => 'string', // Value is a string from the command line
-        'user' => 'string',
+        'credential' => 'string',
         'path' => 'string',
       ));
     $v_platform = $resource->getAttribute('platform');
@@ -103,8 +103,7 @@
           ->setConfiguration(array(
             'host' => $resource->getAttribute('host'),
             'port' => $resource->getAttribute('port'),
-            'user' => $resource->getAttribute('user'),
-            'ssh-keyfile' => $resource->getAttribute('ssh-keyfile'),
+            'credential' => $resource->getAttribute('credential'),
             'platform' => $resource->getAttribute('platform')));
     }
 
Index: src/applications/drydock/interface/command/DrydockSSHCommandInterface.php
===================================================================
--- src/applications/drydock/interface/command/DrydockSSHCommandInterface.php
+++ src/applications/drydock/interface/command/DrydockSSHCommandInterface.php
@@ -22,23 +22,31 @@
     // NOTE: The "-t -t" is for psuedo-tty allocation so we can "sudo" on some
     // systems, but maybe more trouble than it's worth?
 
-    $keyfile = $this->getConfig('ssh-keyfile');
-    if (!empty($keyfile)) {
-      return new ExecFuture(
-        'ssh -t -t -o StrictHostKeyChecking=no -p %s -i %s %s@%s -- %s',
-        $this->getConfig('port'),
-        $this->getConfig('ssh-keyfile'),
-        $this->getConfig('user'),
-        $this->getConfig('host'),
-        $full_command);
-    } else {
-      return new ExecFuture(
-        'ssh -t -t -o StrictHostKeyChecking=no -p %s %s@%s -- %s',
-        $this->getConfig('port'),
-        $this->getConfig('user'),
-        $this->getConfig('host'),
-        $full_command);
+    $credential = id(new PassphraseCredentialQuery())
+      ->setViewer(PhabricatorUser::getOmnipotentUser())
+      ->withIDs(array($this->getConfig('credential')))
+      ->needSecrets(true)
+      ->executeOne();
+
+    // FIXME: We can't use text-based SSH files here because the TempFile goes
+    // out of scope after this function ends and thus the file gets removed
+    // before it can be used.
+    if ($credential->getCredentialType() !==
+      PassphraseCredentialTypeSSHPrivateKeyFile::CREDENTIAL_TYPE) {
+      throw new Exception("Only private key file credentials are supported.");
     }
+
+    $ssh_key = PassphraseSSHKey::loadFromPHID(
+      $credential->getPHID(),
+      PhabricatorUser::getOmnipotentUser());
+
+    return new ExecFuture(
+      'ssh -t -t -o StrictHostKeyChecking=no -p %s -i %s %s@%s -- %s',
+      $this->getConfig('port'),
+      $ssh_key->getKeyfileEnvelope()->openEnvelope(),
+      $credential->getUsername(),
+      $this->getConfig('host'),
+      $full_command);
   }
 
 }