diff --git a/etc/sysctl.d/60-local.conf b/etc/sysctl.d/60-local.conf
index 66fe0a0..7847d85 100644
--- a/etc/sysctl.d/60-local.conf
+++ b/etc/sysctl.d/60-local.conf
@@ -37,6 +37,9 @@ net.ipv4.tcp_retries2 = 8
 # 25.4s with minimum 0.2s RTO
 net.ipv4.tcp_orphan_retries = 6
 
+# keys are rotated by tcp-fastopen-rotate-keys.timer
+net.ipv4.tcp_fastopen = 3
+
 net.mptcp.enabled = 0
 
 net.netfilter.nf_conntrack_tcp_loose = 0
diff --git a/etc/systemd/system/tcp-fastopen-rotate-keys.service b/etc/systemd/system/tcp-fastopen-rotate-keys.service
new file mode 100644
index 0000000..11a3166
--- /dev/null
+++ b/etc/systemd/system/tcp-fastopen-rotate-keys.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Rotate TCP Fast Open keys
+
+[Service]
+ExecStart=/usr/local/bin/tcp-fastopen-rotate-keys
+Type=oneshot
+UMask=0077
diff --git a/etc/systemd/system/tcp-fastopen-rotate-keys.timer b/etc/systemd/system/tcp-fastopen-rotate-keys.timer
new file mode 100644
index 0000000..c6e4bbf
--- /dev/null
+++ b/etc/systemd/system/tcp-fastopen-rotate-keys.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run tcp-fastopen-rotate-keys daily
+
+[Timer]
+OnCalendar=daily UTC
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/packages/0.ns1.grapheneos.org b/packages/0.ns1.grapheneos.org
index 55dd626..9250e5a 100644
--- a/packages/0.ns1.grapheneos.org
+++ b/packages/0.ns1.grapheneos.org
@@ -1,3 +1,4 @@
+b3sum
 base
 bird
 certbot
diff --git a/packages/0.ns2.grapheneos.org b/packages/0.ns2.grapheneos.org
index 7082a33..493059f 100644
--- a/packages/0.ns2.grapheneos.org
+++ b/packages/0.ns2.grapheneos.org
@@ -1,3 +1,4 @@
+b3sum
 base
 certbot
 chrony
diff --git a/packages/1.ns1.grapheneos.org b/packages/1.ns1.grapheneos.org
index b094b2d..c7223d1 100644
--- a/packages/1.ns1.grapheneos.org
+++ b/packages/1.ns1.grapheneos.org
@@ -1,3 +1,4 @@
+b3sum
 base
 bird
 chrony
diff --git a/packages/1.ns2.grapheneos.org b/packages/1.ns2.grapheneos.org
index 60cf59f..81d0975 100644
--- a/packages/1.ns2.grapheneos.org
+++ b/packages/1.ns2.grapheneos.org
@@ -1,3 +1,4 @@
+b3sum
 base
 chrony
 cloud-guest-utils
diff --git a/packages/2.ns1.grapheneos.org b/packages/2.ns1.grapheneos.org
index b094b2d..c7223d1 100644
--- a/packages/2.ns1.grapheneos.org
+++ b/packages/2.ns1.grapheneos.org
@@ -1,3 +1,4 @@
+b3sum
 base
 bird
 chrony
diff --git a/packages/2.ns2.grapheneos.org b/packages/2.ns2.grapheneos.org
index 60cf59f..81d0975 100644
--- a/packages/2.ns2.grapheneos.org
+++ b/packages/2.ns2.grapheneos.org
@@ -1,3 +1,4 @@
+b3sum
 base
 chrony
 cloud-guest-utils
diff --git a/packages/3.ns1.grapheneos.org b/packages/3.ns1.grapheneos.org
index b094b2d..c7223d1 100644
--- a/packages/3.ns1.grapheneos.org
+++ b/packages/3.ns1.grapheneos.org
@@ -1,3 +1,4 @@
+b3sum
 base
 bird
 chrony
diff --git a/packages/ns1.staging.grapheneos.org b/packages/ns1.staging.grapheneos.org
index 55dd626..9250e5a 100644
--- a/packages/ns1.staging.grapheneos.org
+++ b/packages/ns1.staging.grapheneos.org
@@ -1,3 +1,4 @@
+b3sum
 base
 bird
 certbot
diff --git a/tcp-fastopen-rotate-keys b/tcp-fastopen-rotate-keys
new file mode 100755
index 0000000..9e15c34
--- /dev/null
+++ b/tcp-fastopen-rotate-keys
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+umask 077
+
+if [[ -e /etc/tcp_fastopen_seed ]]; then
+    rand=$(b3sum --keyed -l 16 --no-names </etc/tcp_fastopen_seed <(date -uI))
+else
+    rand=$(openssl rand -hex 16)
+fi
+
+new_key=${rand:0:8}-${rand:8:8}-${rand:16:8}-${rand:24:8}
+echo new_key: $new_key
+
+old_key="$(sysctl net.ipv4.tcp_fastopen_key | awk '{ print $3 }' | cut -d ',' -f 1)"
+echo old_key: $old_key
+
+echo "net.ipv4.tcp_fastopen_key=$new_key,$old_key" >/etc/sysctl.d/50-tcp_fastopen_key.conf
+sysctl -p /etc/sysctl.d/50-tcp_fastopen_key.conf