diff --git a/etc/ssh/sshd_config.d/10-stormux-hostkeys.conf b/etc/ssh/sshd_config.d/10-stormux-hostkeys.conf
new file mode 100644
index 0000000..e9daad5
--- /dev/null
+++ b/etc/ssh/sshd_config.d/10-stormux-hostkeys.conf
@@ -0,0 +1,2 @@
+HostKey /home/stormux/.local/etc/ssh/ssh_host_ed25519_key
+HostKey /home/stormux/.local/etc/ssh/ssh_host_rsa_key
diff --git a/etc/systemd/system/sshd.service.d/stormux-hostkeys.conf b/etc/systemd/system/sshd.service.d/stormux-hostkeys.conf
new file mode 100644
index 0000000..9fc1672
--- /dev/null
+++ b/etc/systemd/system/sshd.service.d/stormux-hostkeys.conf
@@ -0,0 +1,5 @@
+[Unit]
+Wants=
+Wants=stormux-sshd-hostkeys.service ssh-access.target
+After=
+After=network.target stormux-sshd-hostkeys.service
diff --git a/etc/systemd/system/stormux-sshd-hostkeys.service b/etc/systemd/system/stormux-sshd-hostkeys.service
new file mode 100644
index 0000000..e029d4b
--- /dev/null
+++ b/etc/systemd/system/stormux-sshd-hostkeys.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Generate persistent Stormux SSH host keys
+RequiresMountsFor=/home/stormux/.local/etc/ssh
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/stormux/stormux_sshd_hostkeys.sh
diff --git a/usr/lib/stormux/stormux_sshd_hostkeys.sh b/usr/lib/stormux/stormux_sshd_hostkeys.sh
new file mode 100755
index 0000000..1cec0b3
--- /dev/null
+++ b/usr/lib/stormux/stormux_sshd_hostkeys.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+hostKeyDir="${STORMUX_SSH_HOSTKEY_DIR:-/home/stormux/.local/etc/ssh}"
+
+generate_host_key() {
+    local keyType="$1"
+    local filePath="$2"
+    shift 2
+
+    if [[ -f "$filePath" ]]; then
+        return 0
+    fi
+
+    rm -f "${filePath}.pub"
+    ssh-keygen -q -t "$keyType" "$@" -N "" -f "$filePath"
+}
+
+if [[ "${EUID}" -eq 0 ]]; then
+    install -d -o root -g root -m 700 "$hostKeyDir"
+else
+    install -d -m 700 "$hostKeyDir"
+fi
+generate_host_key ed25519 "${hostKeyDir}/ssh_host_ed25519_key"
+generate_host_key rsa "${hostKeyDir}/ssh_host_rsa_key" -b 3072
+chmod 600 "${hostKeyDir}"/ssh_host_*_key
+chmod 644 "${hostKeyDir}"/ssh_host_*_key.pub