diff --git a/nexus/Cargo.lock b/nexus/Cargo.lock
index d8d8607cb3..d695dece8e 100644
--- a/nexus/Cargo.lock
+++ b/nexus/Cargo.lock
@@ -3155,6 +3155,7 @@ name = "postgres-connection"
 version = "0.1.0"
 dependencies = [
  "anyhow",
+ "base64 0.22.1",
  "futures-util",
  "pt",
  "rustls 0.23.32",
diff --git a/nexus/catalog/src/lib.rs b/nexus/catalog/src/lib.rs
index b92d7773ca..eed1ca23d0 100644
--- a/nexus/catalog/src/lib.rs
+++ b/nexus/catalog/src/lib.rs
@@ -389,9 +389,15 @@ impl Catalog {
             .pg
             .prepare_typed(
                 "INSERT INTO flows (name, source_peer, destination_peer, description,
-                     query_string, flow_metadata) VALUES ($1, $2, $3, $4, $5, $6, $7)",
-                &[types::Type::TEXT, types::Type::INT4, types::Type::INT4, types::Type::TEXT,
-                 types::Type::TEXT, types::Type::JSONB],
+                     query_string, flow_metadata) VALUES ($1, $2, $3, $4, $5, $6)",
+                &[
+                    types::Type::TEXT,
+                    types::Type::INT4,
+                    types::Type::INT4,
+                    types::Type::TEXT,
+                    types::Type::TEXT,
+                    types::Type::JSONB,
+                ],
             )
             .await?;
 
diff --git a/nexus/postgres-connection/Cargo.toml b/nexus/postgres-connection/Cargo.toml
index 679ead60e8..184df1c8a2 100644
--- a/nexus/postgres-connection/Cargo.toml
+++ b/nexus/postgres-connection/Cargo.toml
@@ -7,6 +7,7 @@ edition = "2024"
 
 [dependencies]
 anyhow = "1"
+base64 = "0.22"
 futures-util = { version = "0.3", default-features = false, features = ["io"] }
 pt = { path = "../pt" }
 rustls = { version = "0.23", default-features = false, features = ["aws-lc-rs"] }
@@ -18,3 +19,4 @@ tokio-util = { version = "0.7", features = ["compat"] }
 tokio-stream = "0.1"
 tracing.workspace = true
 urlencoding = "2"
+
diff --git a/nexus/postgres-connection/src/lib.rs b/nexus/postgres-connection/src/lib.rs
index fefe443120..8d1f302296 100644
--- a/nexus/postgres-connection/src/lib.rs
+++ b/nexus/postgres-connection/src/lib.rs
@@ -1,3 +1,4 @@
+use base64::Engine;
 use pt::peerdb_peers::{PostgresConfig, SshConfig};
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
 use rustls::{ClientConfig, DigitallySignedStruct, RootCertStore, SignatureScheme};
@@ -94,7 +95,21 @@ pub async fn create_tunnel(
         session.userauth_password(&ssh_config.user, &ssh_config.password)?;
     }
     if !ssh_config.private_key.is_empty() {
-        session.userauth_pubkey_memory(&ssh_config.user, None, &ssh_config.private_key, None)?;
+        let private_key_bytes = base64::engine::general_purpose::STANDARD
+            .decode(&ssh_config.private_key)
+            .map_err(|e| {
+                io::Error::new(
+                    io::ErrorKind::InvalidData,
+                    format!("Failed to decode private key: {e}"),
+                )
+            })?;
+        let private_key = str::from_utf8(private_key_bytes.as_slice()).map_err(|e| {
+            io::Error::new(
+                io::ErrorKind::InvalidData,
+                format!("Invalid UTF-8 in private key: {e}"),
+            )
+        })?;
+        session.userauth_pubkey_memory(&ssh_config.user, None, private_key, None)?;
     }
     if !ssh_config.host_key.is_empty() {
         let mut known_hosts = session.known_hosts()?;