diff --git a/endpoints/api/trigger.py b/endpoints/api/trigger.py
index 4788a6e65..8436d03db 100644
--- a/endpoints/api/trigger.py
+++ b/endpoints/api/trigger.py
@@ -20,6 +20,7 @@ from data import model
 from auth.permissions import UserAdminPermission, AdministerOrganizationPermission, ReadRepositoryPermission
 from util.names import parse_robot_username
 from util.dockerfileparse import parse_dockerfile
+from util.ssh import generate_ssh_keypair
 
 
 logger = logging.getLogger(__name__)
@@ -211,6 +212,9 @@ class BuildTriggerActivate(RepositoryParamResource):
       token = model.create_delegate_token(namespace, repository, token_name,
                                           'write')
 
+      # Generate an SSH keypair
+      new_config_dict['public_key'], trigger.private_key = generate_ssh_keypair()
+
       try:
         path = url_for('webhooks.build_trigger_webhook', trigger_uuid=trigger.uuid)
         authed_url = _prepare_webhook_url(app.config['PREFERRED_URL_SCHEME'], '$token', token.code,
diff --git a/endpoints/trigger.py b/endpoints/trigger.py
index fe7e19250..4c5ead314 100644
--- a/endpoints/trigger.py
+++ b/endpoints/trigger.py
@@ -525,9 +525,7 @@ class GitHubBuildTrigger(BuildTrigger):
       msg = 'Unable to find GitHub repository for source: %s' % new_build_source
       raise TriggerActivationException(msg)
 
-    # Generate an SSH keypair and add the public key to the repository.
-    # TODO(jzelinskie): don't put this in the config! it's not secure!
-    config['public_key'], config['private_key'] = generate_ssh_keypair()
+    # Add a deploy key to the GitHub repository.
     try:
       deploy_key = gh_repo.create_key('Quay.io Builder', config['public_key'])
       config['deploy_key_id'] = deploy_key.id