diff --git a/app/services/realtime_audit_service.py b/app/services/realtime_audit_service.py
index fe0a0f0..b0d73f1 100644
--- a/app/services/realtime_audit_service.py
+++ b/app/services/realtime_audit_service.py
@@ -18,15 +18,20 @@ DNS_SUFFIXES = ["", ".mpcz.fr", ".sanef.groupe", ".sanef-rec.fr", ".sanef.fr"]
 
 
 def _get_ssh_settings():
-    """Lit les settings SSH depuis app_secrets dans la DB."""
+    """Lit les settings SSH depuis app_secrets dans la DB.
+    Retourne (key_material, user). key_material peut etre un chemin (legacy)
+    ou le contenu PEM (nouveau)."""
     try:
         from .secrets_service import get_secret
         from ..database import SessionLocal
         db = SessionLocal()
-        key_path = get_secret(db, "ssh_key_file") or SSH_KEY_DEFAULT
-        user = get_secret(db, "ssh_user") or SSH_USER_DEFAULT
+        # Nouveau: contenu PEM direct
+        key_material = get_secret(db, "ssh_key_private_key")
+        if not key_material:
+            key_material = get_secret(db, "ssh_key_file") or SSH_KEY_DEFAULT
+        user = get_secret(db, "ssh_key_default_user") or get_secret(db, "ssh_user") or SSH_USER_DEFAULT
         db.close()
-        return key_path, user
+        return key_material, user
     except Exception:
         return SSH_KEY_DEFAULT, SSH_USER_DEFAULT
 
@@ -78,11 +83,26 @@ def _connect(target):
 
     ssh_key, ssh_user = _get_ssh_settings()
 
-    # 1. Essai clé SSH depuis settings
-    if os.path.exists(ssh_key):
-        for loader in [paramiko.Ed25519Key.from_private_key_file, paramiko.RSAKey.from_private_key_file, paramiko.ECDSAKey.from_private_key_file]:
+    # 1. Essai clé SSH depuis settings (contenu PEM ou chemin legacy)
+    key_sources = []
+    if ssh_key and "BEGIN" in ssh_key and "PRIVATE KEY" in ssh_key:
+        from io import StringIO
+        key_sources = [("content", ssh_key)]
+    elif ssh_key and os.path.exists(ssh_key):
+        key_sources = [("file", ssh_key)]
+
+    for src_type, src in key_sources:
+        for loader_file, loader_str in [
+            (paramiko.Ed25519Key.from_private_key_file, paramiko.Ed25519Key.from_private_key),
+            (paramiko.RSAKey.from_private_key_file, paramiko.RSAKey.from_private_key),
+            (paramiko.ECDSAKey.from_private_key_file, paramiko.ECDSAKey.from_private_key),
+        ]:
             try:
-                key = loader(ssh_key)
+                from io import StringIO
+                if src_type == "file":
+                    key = loader_file(src)
+                else:
+                    key = loader_str(StringIO(src))
                 client = paramiko.SSHClient()
                 client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
                 client.connect(target, port=22, username=ssh_user, pkey=key,