diff --git a/src/blobs.js b/src/blobs.js
index c16b26890..1a883fd55 100644
--- a/src/blobs.js
+++ b/src/blobs.js
@@ -68,26 +68,10 @@ async function generateSecrets() {
     if (!dhparams) throw new BoxError(BoxError.OPENSSL_ERROR, safe.error);
     if (!safe.fs.writeFileSync(paths.DHPARAMS_FILE, dhparams)) throw new BoxError(BoxError.FS_ERROR, `Could not save dhparams.pem: ${safe.error.message}`);
     await set(exports.DHPARAMS, dhparams);
-
-    debug('generateSecrets: generate sftp keys');
-    if (!safe.child_process.execSync(`ssh-keygen -m PEM -t rsa -f "${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key" -q -N ""`)) throw new BoxError(BoxError.OPENSSL_ERROR, `Could not generate sftp ssh keys: ${safe.error.message}`);
-    const sftpPublicKey = safe.fs.readFileSync(paths.SFTP_PUBLIC_KEY_FILE);
-    await set(exports.SFTP_PUBLIC_KEY, sftpPublicKey);
-    const sftpPrivateKey = safe.fs.readFileSync(paths.SFTP_PRIVATE_KEY_FILE);
-    await set(exports.SFTP_PRIVATE_KEY, sftpPrivateKey);
-    if (!safe.fs.writeFileSync(paths.SFTP_PUBLIC_KEY_FILE, sftpPublicKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp public key: ${safe.error.message}`);
-    if (!safe.fs.writeFileSync(paths.SFTP_PRIVATE_KEY_FILE, sftpPrivateKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp private key: ${safe.error.message}`);
 }
 
 async function restoreSecrets() {
     const dhparams = await get(exports.DHPARAMS);
     if (!dhparams) throw new BoxError(BoxError.NOT_FOUND, 'dhparams not found');
     if (!safe.fs.writeFileSync(paths.DHPARAMS_FILE, dhparams)) throw new BoxError(BoxError.FS_ERROR, `Could not save dhparams.pem: ${safe.error.message}`);
-
-    const sftpPrivateKey = await get(exports.SFTP_PRIVATE_KEY);
-    const sftpPublicKey = await get(exports.SFTP_PUBLIC_KEY);
-
-    if (!sftpPrivateKey || !sftpPublicKey) throw new BoxError(BoxError.NOT_FOUND, 'SFTP keys not found');
-    if (!safe.fs.writeFileSync(paths.SFTP_PUBLIC_KEY_FILE, sftpPublicKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp public key: ${safe.error.message}`);
-    if (!safe.fs.writeFileSync(paths.SFTP_PRIVATE_KEY_FILE, sftpPrivateKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp private key: ${safe.error.message}`);
 }
diff --git a/src/sftp.js b/src/sftp.js
index 3e4892d15..ba86c7163 100644
--- a/src/sftp.js
+++ b/src/sftp.js
@@ -9,6 +9,7 @@ exports = module.exports = {
 
 const apps = require('./apps.js'),
     assert = require('assert'),
+    blobs = require('./blobs.js'),
     BoxError = require('./boxerror.js'),
     debug = require('debug')('box:sftp'),
     docker = require('./docker.js'),
@@ -22,6 +23,23 @@ const apps = require('./apps.js'),
     system = require('./system.js'),
     volumes = require('./volumes.js');
 
+async function ensureKeys() {
+    let sftpPrivateKey = await blobs.get(blobs.SFTP_PRIVATE_KEY);
+    let sftpPublicKey = await blobs.get(blobs.SFTP_PUBLIC_KEY);
+
+    if (!sftpPrivateKey || !sftpPublicKey) {
+        debug('ensureSecrets: generating new sftp keys');
+        if (!safe.child_process.execSync(`ssh-keygen -m PEM -t rsa -f "${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key" -q -N ""`)) throw new BoxError(BoxError.OPENSSL_ERROR, `Could not generate sftp ssh keys: ${safe.error.message}`);
+        sftpPublicKey = safe.fs.readFileSync(paths.SFTP_PUBLIC_KEY_FILE);
+        await blobs.set(blobs.SFTP_PUBLIC_KEY, sftpPublicKey);
+        sftpPrivateKey = safe.fs.readFileSync(paths.SFTP_PRIVATE_KEY_FILE);
+        await blobs.set(blobs.SFTP_PRIVATE_KEY, sftpPrivateKey);
+    }
+
+    if (!safe.fs.writeFileSync(paths.SFTP_PUBLIC_KEY_FILE, sftpPublicKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp public key: ${safe.error.message}`);
+    if (!safe.fs.writeFileSync(paths.SFTP_PRIVATE_KEY_FILE, sftpPrivateKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp private key: ${safe.error.message}`);
+}
+
 async function start(existingInfra) {
     assert.strictEqual(typeof existingInfra, 'object');
 
@@ -34,6 +52,8 @@ async function start(existingInfra) {
     const memory = system.getMemoryAllocation(memoryLimit);
     const cloudronToken = hat(8 * 128);
 
+    await ensureKeys();
+
     const resolvedAppDataDir = safe.fs.realpathSync(paths.APPS_DATA_DIR);
     if (!resolvedAppDataDir) throw new BoxError(BoxError.FS_ERROR, `Could not resolve apps data dir: ${safe.error.message}`);