diff --git a/cdist/conf/type/__ssh_authorized_keys/gencode-remote b/cdist/conf/type/__ssh_authorized_keys/gencode-remote
index 2fb1895a..a940cb00 100755
--- a/cdist/conf/type/__ssh_authorized_keys/gencode-remote
+++ b/cdist/conf/type/__ssh_authorized_keys/gencode-remote
@@ -24,9 +24,6 @@ state="$(cat "$__object/parameter/state" 2>/dev/null)"
 file="$(cat "$__object/explorer/file")"
 keys_file="$__object/explorer/keys"
 
-temp_file="${file}.tmp"
-work_file="${temp_file}.work"
-
 _type_and_key() {
     echo "$1" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }'
 }
@@ -50,8 +47,18 @@ _gen_key_entry() {
     printf '\n'
 }
 
+
 cat << DONE
-cp -f "${file}" "${temp_file}"
+new_keys=\$(mktemp ${file}.cdist.XXXXXXXXXX)
+patterns=\$(mktemp ${file}.cdist.XXXXXXXXXX)
+
+tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
+
+# preserve ownership and permissions of existing file
+if [ -f "${file}" ]
+then
+   cp -p "${file}" "\${tmpfile}"
+fi
 DONE
 
 while read -r key; do
@@ -67,7 +74,7 @@ while read -r key; do
 
     # remove conflicting entries
     cat << DONE
-    grep -v "${type_and_key}\\([ \\n].*\\)*\$" "${temp_file}" > "${work_file}" || true
+echo '${type_and_key}\\([ \\\\n].*\\)*\$' >> "\${patterns}"
 DONE
 
     entry="$(_gen_key_entry "${key}")"
@@ -77,15 +84,13 @@ DONE
             # escape single quotes
             _line_sanitised=$(echo "${entry}" | sed -e "s/'/'\"'\"'/g")
             cat << DONE
-            printf "%s\\n" "${_line_sanitised}" >> "${work_file}"
-            mv -f "${work_file}" "${temp_file}"
+printf "%s\\n" "${_line_sanitised}" >> "\${new_keys}"
 DONE
             echo "added to ${file} (${entry})" >> "$__messages_out"
         ;;
         absent)
             cat << DONE
-            grep -v "${entry}" "${work_file}" > "${temp_file}" || true
-            rm -f "${work_file}"
+echo "${entry}" >> "\${patterns}"
 DONE
             echo "removed from ${file} (${entry})" >> "$__messages_out"
         ;;
@@ -94,8 +99,19 @@ done < "$__object/parameter/key"
 
 set --
 cat << DONE
-set --
+if [ -s "\${patterns}" ] && [ -f "${file}" ]
+then
+    grep -v -f "\${patterns}" "${file}" > "\${tmpfile}" || true
+fi
+if [ -s "\${new_keys}" ]
+then
+    cat "\${new_keys}" >> "\${tmpfile}"
+fi
+
+rm -f "\${patterns}"
+rm -f "\${new_keys}"
 DONE
+
 if [ -f "$__object/parameter/remove-unknown" ] && [ -s "${keys_file}" ]
 then
     while read -r key
@@ -107,23 +123,29 @@ then
             continue
         fi
 
-        # build grep -e patterns
-        set -- "\$@" "-e" "${key}"
+        # build grep patterns
         cat << DONE
-        set -- "\$@" "-e" "${key}"
+echo "${key}" >> "\${patterns}"
 DONE
     done < "${keys_file}"
-
-    # if no pattern then nothing to remove
-    if [ $# -gt 0 ]
-    then
-        cat << DONE
-        grep -v -F -x "\$@" "${temp_file}" > "${work_file}" || true
-        mv -f "${work_file}" "${temp_file}"
-DONE
-    fi
 fi
 
 cat << DONE
-mv -f "${temp_file}" "${file}"
+if [ -s "\${patterns}" ] && [ -f "${file}" ]
+then
+    newfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
+    # preserve ownership and permissions of existing file
+    if [ -f "${file}" ]; then
+       cp -p "${file}" "\${newfile}"
+    fi
+
+    grep -v -F -x -f "\${patterns}" "\${tmpfile}" > "\${newfile}" || true
+    mv -f "\${newfile}" "${file}"
+    rm -f "\${tmpfile}"
+else
+    mv -f "\${tmpfile}" "${file}"
+fi
+
+rm -f "\${patterns}"
+rm -f "\${new_keys}"
 DONE