diff --git a/docker/ci-runner/Dockerfile b/docker/ci-runner/Dockerfile
index 3d9c2b3..a125077 100644
--- a/docker/ci-runner/Dockerfile
+++ b/docker/ci-runner/Dockerfile
@@ -42,10 +42,7 @@ RUN true \
 USER guest
 RUN true \
     && mkdir ~guest/.cache && chmod 700 ~guest/.cache \
-    && mkdir ~guest/.ssh && chmod 700 ~guest/.ssh \
-    && mkdir ~guest/actions-runner \
-    && chown -R guest:guest ~guest \
-    && cd ~guest/actions-runner \
+    && mkdir ~guest/actions-runner && cd ~guest/actions-runner \
     && arch=$(dpkg --print-architecture) \
     && case "$arch" in \
       x86_64|amd64) arch=linux-x64 ;; \
diff --git a/docker/ci-runner/root/entrypoint.50-ssh-keys.sh b/docker/ci-runner/root/entrypoint.50-ssh-keys.sh
index da295c0..20ef418 100644
--- a/docker/ci-runner/root/entrypoint.50-ssh-keys.sh
+++ b/docker/ci-runner/root/entrypoint.50-ssh-keys.sh
@@ -1,13 +1,20 @@
 #!/bin/bash
 #
-# Puts SSH keys into the guest's home directory.
+# Puts SSH keys into the guest's and root's home directories.
 #
 set -u -e
 
+mkdir -p ~guest/.ssh && chmod 700 ~guest/.ssh
+mkdir -p ~root/.ssh && chmod 700 ~root/.ssh
+
 secret_file=/run/secrets/CI_STORAGE_PRIVATE_KEY
 if [[ -f "$secret_file" ]]; then
   cat "$secret_file" > ~guest/.ssh/id_rsa
+  cat "$secret_file" > ~root/.ssh/id_rsa
 fi
 
 chmod 600 ~guest/.ssh/* || true
 chown -R guest:guest ~guest/.ssh || true
+
+chmod 600 ~root/.ssh/* || true
+chown -R root:root ~root/.ssh || true