diff --git a/group_vars/default/base.yml b/group_vars/default/base.yml
index ac69a0e..859d876 100644
--- a/group_vars/default/base.yml
+++ b/group_vars/default/base.yml
@@ -110,6 +110,8 @@ admin_users:
     uid: 500
     keys:
       - "ssh-ed25519 MyKey 2019-06"
+    removed:
+      - "ssh-ed25519 ObsoleteKey 2017-01"
 
 # Backup user SSH user keys, for remote backups separate from administrative users (e.g. rsync)
 # > Uncomment to activate this functionality.
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 932d641..87c92e1 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -838,6 +838,7 @@
   authorized_key:
     user: "{{ deploy_username }}"
     key: "{{ item.1 }}"
+    state: present
   with_subelements:
     - "{{ admin_users }}"
     - keys
@@ -845,6 +846,18 @@
     - users
     - user-deploy
 
+- name: remove authorized keys
+  authorized_key:
+    user: "{{ deploy_username }}"
+    key: "{{ item.1 }}"
+    state: absent
+  with_subelements:
+    - "{{ admin_users }}"
+    - removed
+  tags:
+    - users
+    - user-deploy
+
 # admin_users
 - name: ensure user exists
   user:
@@ -890,6 +903,7 @@
   authorized_key:
     user: "{{ item.0.name }}"
     key: "{{ item.1 }}"
+    state: present
   with_subelements:
     - "{{ admin_users }}"
     - keys
@@ -897,6 +911,18 @@
     - users
     - user-admin
 
+- name: remove authorized keys
+  authorized_key:
+    user: "{{ item.0.name }}"
+    key: "{{ item.1 }}"
+    state: absent
+  with_subelements:
+    - "{{ admin_users }}"
+    - removed
+  tags:
+    - users
+    - user-deploy
+
 - name: write bashrc to homedir
   template:
     src: var/home/user/bashrc.j2