diff --git a/pkg/daemon/daemon.go b/pkg/daemon/daemon.go
index 099eba10..32d00575 100644
--- a/pkg/daemon/daemon.go
+++ b/pkg/daemon/daemon.go
@@ -1407,6 +1407,18 @@ func (d *Daemon) doStop() {
 	// so the daemon.shutting_down event published above flows through
 	// the bus to the still-subscribed plugin, which drains its
 	// internal queue on Stop().
+
+	// Defense-in-depth: flush identity to disk on shutdown.
+	// Today all identity mutations persist eagerly (GenerateIdentity
+	// in startNetworked and RotateKey save synchronously), but a
+	// future code path that mutates d.identity in-memory without a
+	// write would lose the change on next start. Writing here ensures
+	// identity on disk always reflects the shutdown state.
+	if d.config.IdentityPath != "" {
+		if err := crypto.SaveIdentity(d.config.IdentityPath, d.identity); err != nil {
+			slog.Warn("identity flush on shutdown failed", "error", err)
+		}
+	}
 }
 
 // startManaged detects managed networks this node belongs to and starts engines.