diff --git a/scripts/cont-init-sshd.sh b/scripts/cont-init-sshd.sh
index efe69f2..62d77d0 100644
--- a/scripts/cont-init-sshd.sh
+++ b/scripts/cont-init-sshd.sh
@@ -5,12 +5,30 @@
 
 echo "=== SSH enabled: starting sshd ==="
 
-# Generate host keys if missing (first boot or ephemeral /etc/ssh)
-ssh-keygen -A 2>/dev/null || true
+HOME_DIR="/home/user"
+HOST_KEY_STORE="$HOME_DIR/.ssh/host_keys"
+
+# Persist host keys on the home PVC so clients don't see a "host key
+# changed" warning after pod restarts.
+if [ -d "$HOST_KEY_STORE" ] && [ -n "$(ls "$HOST_KEY_STORE"/ssh_host_* 2>/dev/null)" ]; then
+    # Restore previously generated host keys
+    echo "Restoring SSH host keys from PVC..."
+    cp "$HOST_KEY_STORE"/ssh_host_* /etc/ssh/
+    chmod 600 /etc/ssh/ssh_host_*_key
+    chmod 644 /etc/ssh/ssh_host_*_key.pub
+else
+    # First boot: generate and save host keys to PVC
+    echo "Generating SSH host keys (first boot)..."
+    ssh-keygen -A 2>/dev/null || true
+    mkdir -p "$HOST_KEY_STORE"
+    cp /etc/ssh/ssh_host_* "$HOST_KEY_STORE/"
+    chmod 700 "$HOST_KEY_STORE"
+    chown -R 1000:1000 "$HOST_KEY_STORE"
+    echo "SSH host keys saved to PVC."
+fi
 
 # Populate authorized_keys from env var (injected via Kubernetes secret)
 if [ -n "$SSH_AUTHORIZED_KEYS" ]; then
-    HOME_DIR="/home/user"
     mkdir -p "$HOME_DIR/.ssh"
     chmod 700 "$HOME_DIR/.ssh"
     printf '%s\n' "$SSH_AUTHORIZED_KEYS" > "$HOME_DIR/.ssh/authorized_keys"