diff --git a/2nd-stage-files/pre-2nd-stage-files/etc/systemd/system/generate-ssh-host-keys.service b/2nd-stage-files/pre-2nd-stage-files/etc/systemd/system/generate-ssh-host-keys.service
new file mode 100644
index 0000000..30e51e0
--- /dev/null
+++ b/2nd-stage-files/pre-2nd-stage-files/etc/systemd/system/generate-ssh-host-keys.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Generate SSH host keys on first boot
+ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server
+
+[Install]
+RequiredBy=multi-user.target
\ No newline at end of file
diff --git a/scripts/build-debian b/scripts/build-debian
index b8e7099..b86b53d 100755
--- a/scripts/build-debian
+++ b/scripts/build-debian
@@ -172,6 +172,7 @@ echo "kernel-url,${KERNEL_URL}\n" >> /tmp/versions.csv
 /usr/bin/systemctl enable systemd-networkd.service
 /usr/bin/systemctl enable systemd-resolved.service
 /usr/bin/systemctl enable systemd-timesyncd.service
+/usr/bin/systemctl enable generate-ssh-host-keys.service
 /bin/rm -f /var/log/*.log
 /bin/echo "root:${PASSWORD}" | /usr/sbin/chpasswd
 /bin/sed -i "s/#*\s*PermitRootLogin .*/PermitRootLogin yes/" /etc/ssh/sshd_config
@@ -180,6 +181,9 @@ EOF
 # Remove ARM emulation stuff again
 rm -v debian/usr/bin/qemu-*-static || :
 
+# Remove ssh host keys, they will be generated on first boot by generate-ssh-host-keys.service
+rm -v debian/etc/ssh/ssh_host_*_key* || :
+
 cp -rv --preserve=mode ../2nd-stage-files/post-2nd-stage-files/* debian
 
 # Set hostname