diff --git a/rootdir/init.rc b/rootdir/init.rc
index 0e1e98b84..58e161d99 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -630,6 +630,9 @@ on late-fs
     write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1
 
 on post-fs-data
+    # Boot level 30 - at this point daemons like apexd and odsign run
+    setprop keystore.boot_level 30
+
     mark_post_data
 
     # Start checkpoint before we touch data
@@ -908,6 +911,8 @@ on post-fs-data
     # Lock the fs-verity keyring, so no more keys can be added
     exec -- /system/bin/fsverity_init --lock
 
+    setprop keystore.boot_level 40
+
     # Allow apexd to snapshot and restore device encrypted apex data in the case
     # of a rollback. This should be done immediately after DE_user data keys
     # are loaded. APEXes should not access this data until this has been