diff --git a/modules/impermanence.nix b/modules/impermanence.nix
index 5849d47..86d36f0 100644
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -58,7 +58,13 @@
     }
   ];
 
+  # Enforce root ownership on /persistent/etc. The impermanence activation
+  # script copies ownership from /persistent/etc to /etc via
+  # `chown --reference`. If /persistent/etc ever gets non-root ownership,
+  # sshd StrictModes rejects /etc/ssh/authorized_keys.d/root and root SSH
+  # breaks while non-root users still work.
+  # Use "z" (set ownership, non-recursive) not "d" (create only, no-op on existing).
   systemd.tmpfiles.rules = [
-    "d /etc 755 root"
+    "z /persistent/etc 0755 root root"
   ];
 }