diff --git a/bindep.txt b/bindep.txt
index d150cfcd6b..8f0c819881 100644
--- a/bindep.txt
+++ b/bindep.txt
@@ -34,6 +34,7 @@ python3.7 [test platform:ubuntu-bionic]
 python3.7-dev [test platform:ubuntu-bionic]
 bubblewrap [!platform:ubuntu-xenial]
 libre2-dev [compile test platform:dpkg]
+libre2-5 [platform:debian-buster]
 libre2-4 [platform:ubuntu-bionic]
 libre2-3 [platform:debian-stretch]
 libre2-1v5 [platform:ubuntu-xenial]
diff --git a/doc/source/admin/components.rst b/doc/source/admin/components.rst
index a9b8029d3e..62053b390e 100644
--- a/doc/source/admin/components.rst
+++ b/doc/source/admin/components.rst
@@ -580,6 +580,10 @@ The following sections of ``zuul.conf`` are used by the executor:
 
       SSH private key file to be used when logging into worker nodes.
 
+      .. note:: If you use an RSA key, ensure it is encoded in the PEM
+                format (use the ``-t rsa -m PEM`` arguments to
+                `ssh-keygen`).
+
    .. attr:: default_username
       :default: zuul
 
diff --git a/doc/source/admin/drivers/gerrit.rst b/doc/source/admin/drivers/gerrit.rst
index 7d0bc4fe13..9f11dde653 100644
--- a/doc/source/admin/drivers/gerrit.rst
+++ b/doc/source/admin/drivers/gerrit.rst
@@ -15,6 +15,10 @@ create a Gerrit user with that key::
 
   cat ~/id_rsa.pub | ssh -p29418 review.example.com gerrit create-account --ssh-key - --full-name Zuul zuul
 
+.. note:: If you use an RSA key, ensure it is encoded in the PEM
+          format (use the ``-t rsa -m PEM`` arguments to
+          `ssh-keygen`).
+
 Give that user whatever permissions will be needed on the projects you
 want Zuul to report on.  For instance, you may want to grant
 ``Verified +/-1`` and ``Submit`` to the user.  Additional categories
diff --git a/doc/source/admin/examples/playbooks/setup.yaml b/doc/source/admin/examples/playbooks/setup.yaml
index 9e5c70d9a7..d6e35365c4 100644
--- a/doc/source/admin/examples/playbooks/setup.yaml
+++ b/doc/source/admin/examples/playbooks/setup.yaml
@@ -10,11 +10,11 @@
       args:
         creates: /var/ssh/admin.pub
     - name: Generate Zuul SSH key for Gerrit
-      command: ssh-keygen -f /var/ssh/zuul -N ''
+      command: ssh-keygen -f /var/ssh/zuul -N '' -t rsa -m PEM
       args:
         creates: /var/ssh/zuul.pub
     - name: Generate Zuul SSH key for Nodepool
-      command: ssh-keygen -f /var/ssh/nodepool -N ''
+      command: ssh-keygen -f /var/ssh/nodepool -N '' -t rsa -m PEM
       args:
         creates: /var/ssh/nodepool.pub
     - name: Add Nodepool key to node authorized_keys file
diff --git a/doc/source/admin/nodepool_install.rst b/doc/source/admin/nodepool_install.rst
index 2e3ec65615..008c49dac4 100644
--- a/doc/source/admin/nodepool_install.rst
+++ b/doc/source/admin/nodepool_install.rst
@@ -14,7 +14,7 @@ into the nodes that Nodepool provides.
 
    sudo groupadd --system nodepool
    sudo useradd --system nodepool --home-dir /var/lib/nodepool --create-home -g nodepool
-   ssh-keygen -t rsa -b 2048 -f nodepool_rsa  # don't enter a passphrase
+   ssh-keygen -t rsa -m PEM -b 2048 -f nodepool_rsa  # don't enter a passphrase
    sudo mkdir /etc/nodepool/
    sudo mkdir /var/log/nodepool
    sudo chgrp -R nodepool /var/log/nodepool/