diff --git a/cmd/keystored/main.go b/cmd/keystored/main.go
index 5fe0b892bdaa957f62957c4f04e4e0f790b459e5..c8800a6e1a34c626589497b1b0247bc79c61fc25 100644
--- a/cmd/keystored/main.go
+++ b/cmd/keystored/main.go
@@ -22,13 +22,13 @@ import (
 var (
 	addr       = flag.String("addr", ":5006", "address to listen on")
 	configFile = flag.String("config", "/etc/keystore/config.yml", "path of config file")
+	stateFile  = flag.String("state-file", "", "path of state file for transparent restarts")
 )
 
 // Config wraps the keystore server.Config together with the HTTP
 // server config in a single object for YAML deserialization.
 type Config struct {
 	server.Config `yaml:",inline"`
-	StateFile     string                   `yaml:"state_file"`
 	ServerConfig  *serverutil.ServerConfig `yaml:"http_server"`
 }
 
@@ -94,8 +94,8 @@ func main() {
 	}
 	prometheus.MustRegister(server.NewKeystoreCollector(ks))
 
-	if config.StateFile != "" {
-		if err := loadState(ks, config.StateFile); err != nil {
+	if *stateFile != "" {
+		if err := loadState(ks, *stateFile); err != nil {
 			log.Printf("error loading state: %v", err)
 		}
 	}
@@ -106,8 +106,8 @@ func main() {
 		log.Fatal(err)
 	}
 
-	if config.StateFile != "" {
-		if err := dumpState(ks, config.StateFile); err != nil {
+	if *stateFile != "" {
+		if err := dumpState(ks, *stateFile); err != nil {
 			log.Fatalf("error dumping state: %v", err)
 		}
 	}
diff --git a/debian/compat b/debian/compat
index f599e28b8ab0d8c9c57a486c89c4a5132dcbd3b2..b1bd38b62a0800a4f6a80c34e21c5acffae52c7e 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-10
+13
diff --git a/debian/control b/debian/control
index 0dd0ab4955d1ef254a6f66069e1dc73bca41e338..1c06d751755b46dda320df929bfef0faf1afc61b 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: keystore
 Section: admin
 Priority: optional
 Maintainer: Autistici/Inventati <debian@autistici.org>
-Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-golang
+Build-Depends: debhelper (>=13), golang-any (>=1.14), dh-golang
 Standards-Version: 3.9.6
 
 Package: keystored
diff --git a/debian/keystored.default b/debian/keystored.default
index 54d99b80cd2e458d6af7ffef115eec0210286335..74ea6feb2b345e2bff23327dacc4d0d6793f1de2 100644
--- a/debian/keystored.default
+++ b/debian/keystored.default
@@ -1 +1,2 @@
 ADDR=:5006
+STATE_FILE=/var/lib/keystored/reload-state
diff --git a/debian/keystored.service b/debian/keystored.service
index 16dbdf68ab67682762eb4585449b8b58ce744ee4..a23620662c78d46ccc778664c26b07c4a82749be 100644
--- a/debian/keystored.service
+++ b/debian/keystored.service
@@ -5,8 +5,8 @@ After=network.target
 [Service]
 User=keystored
 Group=keystored
-EnvironmentFile=-/etc/default/keystored
-ExecStart=/usr/bin/keystored --addr $ADDR
+EnvironmentFile=/etc/default/keystored
+ExecStart=/usr/bin/keystored --addr $ADDR --state-file $STATE_FILE
 Restart=always
 
 # Hardening
@@ -16,6 +16,7 @@ PrivateDevices=yes
 ProtectHome=yes
 ProtectSystem=full
 ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/keystored
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
 [Install]
diff --git a/debian/keystored.tmpfiles b/debian/keystored.tmpfiles
new file mode 100644
index 0000000000000000000000000000000000000000..2d4a4ad414cbbdc8c1695bc1313c164b6ee1ad27
--- /dev/null
+++ b/debian/keystored.tmpfiles
@@ -0,0 +1 @@
+d /var/lib/keystored 700 keystored keystored