diff --git a/cli-runopts.c b/cli-runopts.c
index bad991fe9129d5479077b0a083077e5f7adf94eb..11c689051c66f08e23ffb25594b29cb862b2b3e2 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -38,7 +38,7 @@ static void parse_hostname(const char* orighostarg);
 static void parse_multihop_hostname(const char* orighostarg, const char* argv0);
 static void fill_own_user();
 #ifdef ENABLE_CLI_PUBKEY_AUTH
-static void loadidentityfile(const char* filename);
+static void loadidentityfile(const char* filename, int warnfail);
 #endif
 #ifdef ENABLE_CLI_ANYTCPFWD
 static void addforward(const char* str, m_list *fwdlist);
@@ -65,7 +65,7 @@ static void printhelp() {
 					"-y -y Don't perform any remote host key checking (caution)\n"
 					"-s    Request a subsystem (use by external sftp)\n"
 #ifdef ENABLE_CLI_PUBKEY_AUTH
-					"-i <identityfile>   (multiple allowed)\n"
+					"-i <identityfile>   (multiple allowed, default %s)\n"
 #endif
 #ifdef ENABLE_CLI_AGENTFWD
 					"-A    Enable agent auth forwarding\n"
@@ -95,6 +95,9 @@ static void printhelp() {
 					"-v    verbose (compiled with DEBUG_TRACE)\n"
 #endif
 					,DROPBEAR_VERSION, cli_opts.progname,
+#ifdef ENABLE_CLI_PUBKEY_AUTH
+					DROPBEAR_DEFAULT_CLI_AUTHKEY,
+#endif
 					DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
 					
 }
@@ -174,7 +177,7 @@ void cli_getopts(int argc, char ** argv) {
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 		if (nextiskey) {
 			/* Load a hostkey since the previous argument was "-i" */
-			loadidentityfile(argv[i]);
+			loadidentityfile(argv[i], 1);
 			nextiskey = 0;
 			continue;
 		}
@@ -231,7 +234,7 @@ void cli_getopts(int argc, char ** argv) {
 				case 'i': /* an identityfile */
 					/* Keep scp happy when it changes "-i file" to "-ifile" */
 					if (strlen(argv[i]) > 2) {
-						loadidentityfile(&argv[i][2]);
+						loadidentityfile(&argv[i][2], 1);
 					} else  {
 						nextiskey = 1;
 					}
@@ -444,6 +447,14 @@ void cli_getopts(int argc, char ** argv) {
 	}
 #endif
 
+#ifdef DROPBEAR_DEFAULT_CLI_AUTHKEY
+	{
+		char *expand_path = expand_tilde(DROPBEAR_DEFAULT_CLI_AUTHKEY);
+		loadidentityfile(expand_path, 0);
+		m_free(expand_path);
+	}
+#endif
+
 	/* The hostname gets set up last, since
 	 * in multi-hop mode it will require knowledge
 	 * of other flags such as -i */
@@ -455,14 +466,18 @@ void cli_getopts(int argc, char ** argv) {
 }
 
 #ifdef ENABLE_CLI_PUBKEY_AUTH
-static void loadidentityfile(const char* filename) {
+static void loadidentityfile(const char* filename, int warnfail) {
 	sign_key *key;
 	enum signkey_type keytype;
 
+	TRACE(("loadidentityfile %s", filename))
+
 	key = new_sign_key();
 	keytype = DROPBEAR_SIGNKEY_ANY;
 	if ( readhostkey(filename, key, &keytype) != DROPBEAR_SUCCESS ) {
-		fprintf(stderr, "Failed loading keyfile '%s'\n", filename);
+		if (warnfail) {
+			fprintf(stderr, "Failed loading keyfile '%s'\n", filename);
+		}
 		sign_key_free(key);
 	} else {
 		key->type = keytype;
diff --git a/dbutil.c b/dbutil.c
index 2acc53b914a28562f31f135a4c1191ea29016b68..ae7313207e4fce467e2581136c0662e0ce336fd3 100644
--- a/dbutil.c
+++ b/dbutil.c
@@ -936,6 +936,23 @@ int m_str_to_uint(const char* str, unsigned int *val) {
 	}
 }
 
+/* Returns malloced path. Only expands ~ in first character */
+char * expand_tilde(const char *inpath) {
+	struct passwd *pw = NULL;
+	if (inpath[0] == '~') {
+		pw = getpwuid(getuid());
+		if (pw && pw->pw_dir) {
+			int len = strlen(inpath) + strlen(pw->pw_dir) + 1;
+			char *buf = m_malloc(len);
+			snprintf(buf, len, "%s/%s", pw->pw_dir, &inpath[1]);
+			return buf;
+		}
+	}
+
+	/* Fallback */
+	return m_strdup(inpath);
+}
+
 int constant_time_memcmp(const void* a, const void *b, size_t n)
 {
 	const char *xa = a, *xb = b;
diff --git a/dbutil.h b/dbutil.h
index 4dd05b548f06b71a0339126ed427e4c9de445182..774c3ce83e32d91e50e8816691855dad0f0b0233 100644
--- a/dbutil.h
+++ b/dbutil.h
@@ -110,5 +110,6 @@ int constant_time_memcmp(const void* a, const void *b, size_t n);
 a real-world clock */
 time_t monotonic_now();
 
+char * expand_tilde(const char *inpath);
 
 #endif /* _DBUTIL_H_ */
diff --git a/dropbearkey.c b/dropbearkey.c
index 1eb4db2f4afb524fd1639b03991b9da05bb56aea..7eb2f3f01fc77433b75e3a10e505c58436031912 100644
--- a/dropbearkey.c
+++ b/dropbearkey.c
@@ -76,7 +76,8 @@ static void printhelp(char * progname) {
 #ifdef DROPBEAR_ECDSA
 					"		ecdsa\n"
 #endif
-					"-f filename	Use filename for the secret key\n"
+					"-f filename    Use filename for the secret key.\n"
+					"               ~/.ssh/id_dropbear is recommended for client keys.\n"
 					"-s bits	Key size in bits, should be a multiple of 8 (optional)\n"
 #ifdef DROPBEAR_DSS
 					"           DSS has a fixed size of 1024 bits\n"
diff --git a/options.h b/options.h
index 213ba040487ae3caa541fd3c9748679e47ceaf3d..644ec72a06f001f7afd249b8849d2322bde1feb4 100644
--- a/options.h
+++ b/options.h
@@ -211,6 +211,10 @@ much traffic. */
 #define ENABLE_CLI_PUBKEY_AUTH
 #define ENABLE_CLI_INTERACT_AUTH
 
+/* A default argument for dbclient -i <privatekey>. 
+   leading "~" is expanded */
+#define DROPBEAR_DEFAULT_CLI_AUTHKEY "~/.ssh/id_dropbear"
+
 /* This variable can be used to set a password for client
  * authentication on the commandline. Beware of platforms
  * that don't protect environment variables of processes etc. Also