diff --git a/ironic/api/controllers/v1/node.py b/ironic/api/controllers/v1/node.py
index c14cdcfb00..b6b120a4d8 100644
--- a/ironic/api/controllers/v1/node.py
+++ b/ironic/api/controllers/v1/node.py
@@ -838,6 +838,14 @@ class Node(base.APIBase):
         if not show_driver_secrets and node.driver_info != wtypes.Unset:
             node.driver_info = strutils.mask_dict_password(
                 node.driver_info, "******")
+
+            # NOTE(derekh): mask ssh keys for the ssh power driver.
+            # As this driver is deprecated masking here (opposed to strutils)
+            # is simpler, and easier to backport. This can be removed along
+            # with support for the ssh power driver.
+            if node.driver_info.get('ssh_key_contents'):
+                node.driver_info['ssh_key_contents'] = "******"
+
         if not show_instance_secrets and node.instance_info != wtypes.Unset:
             node.instance_info = strutils.mask_dict_password(
                 node.instance_info, "******")
diff --git a/ironic/tests/unit/api/v1/test_nodes.py b/ironic/tests/unit/api/v1/test_nodes.py
index 917a952470..a3af99e7cb 100644
--- a/ironic/tests/unit/api/v1/test_nodes.py
+++ b/ironic/tests/unit/api/v1/test_nodes.py
@@ -1043,6 +1043,18 @@ class TestListNodes(test_api_base.BaseApiTest):
         # rpc_node lookup and pass that downwards
         mock_vdi.assert_called_once_with(mock.ANY, node.uuid, 'test-topic')
 
+    def test_ssh_creds_masked(self):
+        driver_info = {"ssh_password": "password", "ssh_key_contents": "key"}
+        node = obj_utils.create_test_node(self.context,
+                                          chassis_id=self.chassis.id,
+                                          driver_info=driver_info)
+        data = self.get_json(
+            '/nodes/%s' % node.uuid,
+            headers={api_base.Version.string: str(api_v1.MAX_VER)})
+
+        self.assertEqual("******", data["driver_info"]["ssh_password"])
+        self.assertEqual("******", data["driver_info"]["ssh_key_contents"])
+
 
 class TestPatch(test_api_base.BaseApiTest):
 
diff --git a/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml b/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml
new file mode 100644
index 0000000000..20f86be420
--- /dev/null
+++ b/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml
@@ -0,0 +1,4 @@
+---
+security:
+  - private ssh keys are now masked when using the ssh power driver
+    and node details are requested.