diff --git a/.gitignore b/.gitignore
index c47965c..f29c475 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,14 @@
 /vendor
 /node_modules
 .env
+
+# SSH Keys - Never commit private keys
+*.ppk
+*.pem
+*.key
+id_rsa
+id_dsa
+id_ecdsa
+id_ed25519
+_key/
+.ssh/
diff --git a/SSH_KEYS_SETUP.md b/SSH_KEYS_SETUP.md
new file mode 100644
index 0000000..5fefae2
--- /dev/null
+++ b/SSH_KEYS_SETUP.md
@@ -0,0 +1,125 @@
+# SSH Keys Setup Guide
+
+## Security Notice
+
+SSH private keys (.ppk, .pem, id_rsa, etc.) should **NEVER** be:
+- Stored in the application directory
+- Committed to git repositories
+- Placed in web-accessible locations
+
+## Recommended Setup
+
+### 1. Create Secure Keys Directory on Server
+
+```bash
+# On your production server
+sudo mkdir -p /var/crew-keys
+sudo chmod 700 /var/crew-keys
+```
+
+### 2. Place Your SSH Key
+
+```bash
+# Copy your key to the secure location
+sudo cp /path/to/your/root.ppk /var/crew-keys/
+sudo chmod 600 /var/crew-keys/root.ppk
+sudo chown root:root /var/crew-keys/root.ppk
+```
+
+### 3. Verify Permissions
+
+```bash
+ls -la /var/crew-keys/
+# Should show: drwx------ (700) for directory
+# Should show: -rw------- (600) for key file
+```
+
+## Docker Configuration
+
+The `docker-compose.prod.yml` and `docker-compose.dev.yml` files are configured to mount `/var/crew-keys` as a **read-only** volume:
+
+```yaml
+volumes:
+  - /var/crew-keys:/var/keys:ro
+```
+
+The `:ro` flag ensures the container can only read the keys, not modify them.
+
+## Application Configuration
+
+The [config/filesystems.php](config/filesystems.php) references the key at:
+
+```php
+'privateKey' => '/var/keys/root.ppk',
+```
+
+This path is inside the container and maps to `/var/crew-keys/root.ppk` on the host.
+
+## Testing
+
+To verify the SFTP connection works:
+
+```bash
+docker exec crewsportswear_app_prod php -r "
+use League\Flysystem\Sftp\SftpAdapter;
+try {
+    \$adapter = new SftpAdapter([
+        'host' => '35.232.234.8',
+        'port' => 22,
+        'username' => 'root',
+        'privateKey' => '/var/keys/root.ppk',
+        'root' => '/var/www/html/images',
+        'timeout' => 10,
+    ]);
+    echo 'SFTP connection: SUCCESS';
+} catch (Exception \$e) {
+    echo 'SFTP connection failed: ' . \$e->getMessage();
+}
+"
+```
+
+## Troubleshooting
+
+### Permission Denied
+
+If you get permission errors:
+
+```bash
+# Fix directory permissions
+sudo chmod 700 /var/crew-keys
+
+# Fix key file permissions
+sudo chmod 600 /var/crew-keys/root.ppk
+```
+
+### Key Format Issues
+
+PuTTY keys (.ppk) may need conversion for Linux/PHP:
+
+```bash
+# Convert .ppk to OpenSSH format
+puttygen root.ppk -O private-openssh -o /var/crew-keys/root.pem
+chmod 600 /var/crew-keys/root.pem
+```
+
+Then update `filesystems.php`:
+```php
+'privateKey' => '/var/keys/root.pem',
+```
+
+## Security Best Practices
+
+✅ **DO:**
+- Store keys outside application directory
+- Use restrictive permissions (600 for files, 700 for directories)
+- Mount as read-only in Docker
+- Keep keys out of version control
+- Use SSH key authentication instead of passwords
+- Rotate keys regularly
+
+❌ **DON'T:**
+- Commit keys to git
+- Store in web-accessible directories
+- Use world-readable permissions
+- Share keys across multiple services
+- Use password-protected keys without proper passphrase management
diff --git a/config/filesystems.php b/config/filesystems.php
index e01d24a..5755f47 100644
--- a/config/filesystems.php
+++ b/config/filesystems.php
@@ -77,7 +77,7 @@ return [
 			'port'       => 22,
 			'username'   => 'root',
 			'password'   => '',
-			'privateKey' => '/var/www/html/_key/instance2/root.ppk',
+			'privateKey' => '/var/keys/root.ppk',
 			'root'       => '/var/www/html/images',
 			'timeout'    => 10
 		],
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 6285434..3a43dd6 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -31,6 +31,7 @@ services:
     volumes:
       - ./storage:/var/www/html/storage
       - ./public/uploads:/var/www/html/public/uploads
+      - /var/crew-keys:/var/keys:ro
     labels:
       - "traefik.enable=true"
       # Development environment (dev.crewsportswear.app)
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 54fb5b4..062c758 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -31,6 +31,7 @@ services:
     volumes:
       - ./storage:/var/www/html/storage
       - ./public/uploads:/var/www/html/public/uploads
+      - /var/crew-keys:/var/keys:ro
     labels:
       - "traefik.enable=true"
       # Production environment (crewsportswear.com) - Uses paid SSL certificate