diff --git a/modules/core/ssh-bootstrap.nix b/modules/core/ssh-bootstrap.nix
index d200510..dedf934 100644
--- a/modules/core/ssh-bootstrap.nix
+++ b/modules/core/ssh-bootstrap.nix
@@ -41,6 +41,8 @@ lib.mkIf userExists {
     };
     path = [ pkgs.openssh pkgs.coreutils ];
     script = ''
+      set -eu
+
       PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase)
 
       generate_factory_key() {
@@ -54,7 +56,7 @@ lib.mkIf userExists {
         generate_factory_key
       elif ! ssh-keygen -y -P "$PASSPHRASE" -f "${keyPath}" >/dev/null 2>&1; then
         echo "Existing factory SSH key does not match current passphrase; backing it up and generating a replacement."
-        backup_suffix=$(date -u +%Y%m%d%H%M%S)
+        backup_suffix=$(date -u +%Y%m%d_%H%M%S)
         backup_path="${keyPath}.bak-$backup_suffix"
         backup_index=0