diff --git a/cmd/flux/bootstrap_git.go b/cmd/flux/bootstrap_git.go
index 243a8e3a18ee2afeb244b8ac3043286fd7faaeb5..9efd43e6dbb6edc31f284ebfcbcc788b18f27a06 100644
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -30,6 +30,7 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
+	cryptossh "golang.org/x/crypto/ssh"
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/fluxcd/flux2/internal/bootstrap"
@@ -232,7 +233,20 @@ func transportForURL(u *url.URL) (transport.AuthMethod, error) {
 		}, nil
 	case "ssh":
 		if bootstrapArgs.privateKeyFile != "" {
-			return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
+			// TODO(hidde): replace custom logic with https://github.com/go-git/go-git/pull/298
+			//  once made available in go-git release.
+			bytes, err := ioutil.ReadFile(bootstrapArgs.privateKeyFile)
+			if err != nil {
+				return nil, err
+			}
+			signer, err := cryptossh.ParsePrivateKey(bytes)
+			if _, ok := err.(*cryptossh.PassphraseMissingError); ok {
+				signer, err = cryptossh.ParsePrivateKeyWithPassphrase(bytes, []byte(gitArgs.password))
+			}
+			if err != nil {
+				return nil, err
+			}
+			return &ssh.PublicKeys{Signer: signer, User: u.User.Username()}, nil
 		}
 		return nil, nil
 	default: