diff --git a/opencryptoki-3.24.0-sysusers-config.patch b/opencryptoki-3.24.0-sysusers-config.patch
new file mode 100644
index 0000000..63b7317
--- /dev/null
+++ b/opencryptoki-3.24.0-sysusers-config.patch
@@ -0,0 +1,7 @@
+diff -Nur opencryptoki-3.24.0.me/opencryptoki.sysusers.conf opencryptoki-3.24.0/opencryptoki.sysusers.conf
+--- opencryptoki-3.24.0.me/opencryptoki.sysusers.conf	1970-01-01 01:00:00.000000000 +0100
++++ opencryptoki-3.24.0/opencryptoki.sysusers.conf	2025-03-12 15:56:16.270318728 +0100
+@@ -0,0 +1,3 @@
++u pkcsslotd - "Opencryptoki pkcsslotd user"  /run/opencryptoki /sbin/nologin
++g pkcs11 - -
++m pkcsslotd pkcs11
diff --git a/opencryptoki-3.24.0-tmpfiles-image-mode.patch b/opencryptoki-3.24.0-tmpfiles-image-mode.patch
index 11b3a26..3f39f14 100644
--- a/opencryptoki-3.24.0-tmpfiles-image-mode.patch
+++ b/opencryptoki-3.24.0-tmpfiles-image-mode.patch
@@ -5,8 +5,43 @@ diff -up opencryptoki-3.24.0/misc/tmpfiles.conf.in.me opencryptoki-3.24.0/misc/t
  # path          mode    uid     gid     age
  D /run/opencryptoki 710 @pkcsslotd_user@ @pkcs_group@ -
  d @localstatedir@/lib/opencryptoki 0770 root @pkcs_group@ -
-+D @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ -
++d @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ -
 +z /etc/opencryptoki/p11sak_defined_attrs.conf 0640 root pkcs11 -
 +z /etc/opencryptoki/strength.conf 0640 root pkcs11 -
  d @logdir@      0770    root    @pkcs_group@  -
  D @lockdir@     0770    root    @pkcs_group@  -
+diff -Nur opencryptoki-3.24.0.me/opencryptoki-ccatok.conf opencryptoki-3.24.0/opencryptoki-ccatok.conf
+--- opencryptoki-3.24.0.me/opencryptoki-ccatok.conf	1970-01-01 01:00:00.000000000 +0100
++++ opencryptoki-3.24.0/opencryptoki-ccatok.conf	2025-03-12 15:40:01.270065049 +0100
+@@ -0,0 +1,2 @@
++d /var/lib/opencryptoki/ccatok 770 root pkcs11 -
++d /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 -
+diff -Nur opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf opencryptoki-3.24.0/opencryptoki-ep11tok.conf
+--- opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf	1970-01-01 01:00:00.000000000 +0100
++++ opencryptoki-3.24.0/opencryptoki-ep11tok.conf	2025-03-12 15:40:01.270122658 +0100
+@@ -0,0 +1,2 @@
++d /var/lib/opencryptoki/ep11tok 770 root pkcs11 -
++d /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 -
+diff -Nur opencryptoki-3.24.0.me/opencryptoki-icatok.conf opencryptoki-3.24.0/opencryptoki-icatok.conf
+--- opencryptoki-3.24.0.me/opencryptoki-icatok.conf	1970-01-01 01:00:00.000000000 +0100
++++ opencryptoki-3.24.0/opencryptoki-icatok.conf	2025-03-12 15:40:01.270168936 +0100
+@@ -0,0 +1,2 @@
++d /var/lib/opencryptoki/lite 770 root pkcs11 -
++d /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 -
+diff -Nur opencryptoki-3.24.0.me/opencryptoki-icsftok.conf opencryptoki-3.24.0/opencryptoki-icsftok.conf
+--- opencryptoki-3.24.0.me/opencryptoki-icsftok.conf	1970-01-01 01:00:00.000000000 +0100
++++ opencryptoki-3.24.0/opencryptoki-icsftok.conf	2025-03-12 15:40:01.270213441 +0100
+@@ -0,0 +1 @@
++d /var/lib/opencryptoki/icsf 770 root pkcs11 -
+diff -Nur opencryptoki-3.24.0.me/opencryptoki-swtok.conf opencryptoki-3.24.0/opencryptoki-swtok.conf
+--- opencryptoki-3.24.0.me/opencryptoki-swtok.conf	1970-01-01 01:00:00.000000000 +0100
++++ opencryptoki-3.24.0/opencryptoki-swtok.conf	2025-03-12 15:40:01.270256492 +0100
+@@ -0,0 +1,3 @@
++# path          mode    uid     gid     age
++d /var/lib/opencryptoki/swtok 770 root pkcs11 -
++d /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 -
+diff -Nur opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf opencryptoki-3.24.0/opencryptoki-tpmtok.conf
+--- opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf	1970-01-01 01:00:00.000000000 +0100
++++ opencryptoki-3.24.0/opencryptoki-tpmtok.conf	2025-03-12 15:40:01.270339921 +0100
+@@ -0,0 +1 @@
++d /var/lib/opencryptoki/tpm 770 root pkcs11 -
diff --git a/opencryptoki-ccatok.conf b/opencryptoki-ccatok.conf
deleted file mode 100644
index 3528fc7..0000000
--- a/opencryptoki-ccatok.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-D /var/lib/opencryptoki/ccatok 770 root pkcs11 -
-D /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 -
diff --git a/opencryptoki-ep11tok.conf b/opencryptoki-ep11tok.conf
deleted file mode 100644
index 687059b..0000000
--- a/opencryptoki-ep11tok.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-D /var/lib/opencryptoki/ep11tok 770 root pkcs11 -
-D /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 -
diff --git a/opencryptoki-icatok.conf b/opencryptoki-icatok.conf
deleted file mode 100644
index f3ca4a4..0000000
--- a/opencryptoki-icatok.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-D /var/lib/opencryptoki/lite 770 root pkcs11 -
-D /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 -
diff --git a/opencryptoki-icsftok.conf b/opencryptoki-icsftok.conf
deleted file mode 100644
index 1786dd8..0000000
--- a/opencryptoki-icsftok.conf
+++ /dev/null
@@ -1 +0,0 @@
-D /var/lib/opencryptoki/icsf 770 root pkcs11 -
diff --git a/opencryptoki-swtok.conf b/opencryptoki-swtok.conf
deleted file mode 100644
index 6d994d3..0000000
--- a/opencryptoki-swtok.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# path          mode    uid     gid     age
-D /var/lib/opencryptoki/swtok 770 root pkcs11 -
-D /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 -
diff --git a/opencryptoki-tmpfiles.conf b/opencryptoki-tmpfiles.conf
deleted file mode 100644
index 0ffe422..0000000
--- a/opencryptoki-tmpfiles.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-d /run/opencryptoki 0710 pkcsslotd pkcs11 -
-
diff --git a/opencryptoki-tpmtok.conf b/opencryptoki-tpmtok.conf
deleted file mode 100644
index f5cfc0f..0000000
--- a/opencryptoki-tpmtok.conf
+++ /dev/null
@@ -1 +0,0 @@
-D /var/lib/opencryptoki/tpm 770 root pkcs11 -
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 8c29194..8d6df8f 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,26 +1,23 @@
+%global use_sysusers 1
+
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.24.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: CPL-1.0
 URL: https://github.com/opencryptoki/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1: opencryptoki.module
-Source2: opencryptoki.sysusers
-# split tmpfiles for image mode
-Source3: opencryptoki-ccatok.conf
-Source4: opencryptoki-icatok.conf
-Source5: opencryptoki-swtok.conf
-Source6: opencryptoki-tpmtok.conf
-Source7: opencryptoki-ep11tok.conf
-Source8: opencryptoki-icsftok.conf
 
 # fix install problem in buildroot
 Patch1: opencryptoki-3.24.0-p11sak.patch
 
-# use tmpfiles to change file ownership for image mode
+# tmpfiles.d config files for image mode
 Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch
 
+# sysuser config file for image mode
+Patch3: opencryptoki-3.24.0-sysusers-config.patch
+
 # upstream patches
 Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
 Patch101: opencryptoki-3.24.0-resource-leaks.patch
@@ -39,8 +36,6 @@ BuildRequires: libcap-devel
 BuildRequires: expect
 BuildRequires: make
 BuildRequires: systemd-rpm-macros
-%{?sysusers_requires_compat}
-
 %ifarch s390 s390x
 BuildRequires: libica-devel >= 3.3
 # for /usr/include/libudev.h
@@ -218,24 +213,28 @@ configured with Enterprise PKCS#11 (EP11) firmware.
 %install
 %make_install CHGRP=/bin/true
 
+%if %{use_sysusers}
+# Install sysusers.d config file
+install -p -D -m 0644 %{name}.sysusers.conf %{buildroot}%{_sysusersdir}/%{name}.sysusers.conf
 
-# Install sysusers.d configuration
-install -p -D -m 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
-
-# Install tmpfiles.d config
+# Install tmpfiles.d config files
 %ifarch s390 s390x
-install -p -D -m 0644 %{SOURCE4} %{SOURCE7} %{buildroot}%{_tmpfilesdir}/
+install -p -D -m 0644 %{name}-icatok.conf %{buildroot}%{_tmpfilesdir}/
+install -p -D -m 0644 %{name}-ep11tok.conf %{buildroot}%{_tmpfilesdir}/
 %endif
 
 %ifarch s390 s390x x86_64 ppc64le
-install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/
+install -p -D -m 0644 %{name}-ccatok.conf %{buildroot}%{_tmpfilesdir}/
 %endif
 
 %if 0%{?tmptok}
-install -p -D -m 0644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/
+install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/
+%endif
+
+install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/
+install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/
 %endif
 
-install -p -D -m 0644 %{SOURCE5} %{SOURCE8} %{buildroot}%{_tmpfilesdir}/
 
 %pre
 # don't touch opencryptoki.conf even if it is unchanged due to new tokversion
@@ -247,7 +246,10 @@ if test $1 -gt 1 && test -f %{cfile} ; then
 fi
 
 %pre libs
-%sysusers_create_compat %{SOURCE2}
+%if ! %{use_sysusers}
+getent group pkcs11 >/dev/null || groupadd -r pkcs11
+getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd
+%endif
 exit 0
 
 %post
@@ -264,7 +266,6 @@ if test $1 -eq 1; then
 	%tmpfiles_create %{name}.conf
 fi
 
-
 %preun
 %systemd_preun pkcsslotd.service
 
@@ -325,7 +326,9 @@ fi
 %{_libdir}/pkcs11/PKCS11_API.so
 %{_libdir}/pkcs11/stdll
 %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
-%{_sysusersdir}/%{name}.conf
+%if %{use_sysusers}
+%{_sysusersdir}/%{name}.sysusers.conf
+%endif
 
 %files devel
 %{_includedir}/%{name}/
@@ -336,7 +339,9 @@ fi
 %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
+%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-swtok.conf
+%endif
 
 %if 0%{?tmptok}
 %files tpmtok
@@ -344,8 +349,10 @@ fi
 %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
 %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
+%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-tpmtok.conf
 %endif
+%endif
 
 %files icsftok
 %doc doc/README.icsf_stdll
@@ -354,7 +361,9 @@ fi
 %{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
 %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
+%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-icsftok.conf
+%endif
 
 %ifarch s390 s390x
 %files icatok
@@ -362,8 +371,10 @@ fi
 %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
+%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-icatok.conf
 %endif
+%endif
 
 %ifarch s390 s390x x86_64 ppc64le
 %files ccatok
@@ -375,8 +386,10 @@ fi
 %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
+%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-ccatok.conf
 %endif
+%endif
 
 %ifarch s390 s390x
 %files ep11tok
@@ -391,11 +404,17 @@ fi
 %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
+%if %{use_sysusers}
 %{_tmpfilesdir}/%{name}-ep11tok.conf
 %endif
+%endif
 
 
 %changelog
+* Tue Mar 18 2025 Than Ngo <than@redhat.com> - 3.24.0-7
+- Resolves: RHEL-80632, tokens are deleted on reboot
+- Related: RHEL-77146, opencryptoki doesn't work in image mode
+
 * Tue Feb 04 2025 Than Ngo <than@redhat.com> - 3.24.0-6
 - Use tmpfiles to change file ownership for image mode
   Related: RHEL-77146
diff --git a/opencryptoki.sysusers b/opencryptoki.sysusers
deleted file mode 100644
index 0803919..0000000
--- a/opencryptoki.sysusers
+++ /dev/null
@@ -1,3 +0,0 @@
-u pkcsslotd - "Opencryptoki pkcsslotd user"  /run/opencryptoki /sbin/nologin
-g pkcs11 - -
-m pkcsslotd pkcs11