diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index c8a53d85e7..4ef0de1d05 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -490,6 +490,7 @@ enable_neutron_segments: "no"
 enable_neutron_sfc: "no"
 enable_neutron_infoblox_ipam_agent: "no"
 enable_nova_serialconsole_proxy: "no"
+enable_nova_ssh: "yes"
 enable_octavia: "no"
 enable_opendaylight: "no"
 enable_openvswitch: "{{ neutron_plugin_agent != 'linuxbridge' | bool }}"
diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml
index 92a8625238..757779338f 100644
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@@ -26,7 +26,7 @@ nova_services:
     container_name: "nova_ssh"
     group: "compute"
     image: "{{ nova_ssh_image_full }}"
-    enabled: True
+    enabled: "{{ enable_nova_ssh | bool }}"
     volumes:
       - "{{ node_config_directory }}/nova-ssh/:{{ container_config_directory }}/:ro"
       - "/etc/localtime:/etc/localtime:ro"
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 33b2c2f63e..a6aab72aa7 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -247,6 +247,7 @@ kolla_internal_vip_address: "10.10.10.254"
 #enable_neutron_sfc: "no"
 #enable_nova_fake: "no"
 #enable_nova_serialconsole_proxy: "no"
+#enable_nova_ssh: "yes"
 #enable_octavia: "no"
 #enable_opendaylight: "no"
 #enable_openvswitch: "{{ neutron_plugin_agent != 'linuxbridge' }}"
diff --git a/releasenotes/notes/allow-disabling-nova-ssh-51028805f163e5a2.yaml b/releasenotes/notes/allow-disabling-nova-ssh-51028805f163e5a2.yaml
new file mode 100644
index 0000000000..f535787214
--- /dev/null
+++ b/releasenotes/notes/allow-disabling-nova-ssh-51028805f163e5a2.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Add a configuration option `enable_nova_ssh` to allow disabling the
+    service. This is useful when an operator is not supporting cold-migration
+    and does not want to manage additional SSH keys.