diff --git a/packages/ozone/src/context.ts b/packages/ozone/src/context.ts
index a2fed060a5f..0a18feda86a 100644
--- a/packages/ozone/src/context.ts
+++ b/packages/ozone/src/context.ts
@@ -16,6 +16,7 @@ import {
 } from './communication-service/template'
 import { AuthVerifier } from './auth-verifier'
 import { ImageInvalidator } from './image-invalidator'
+import { getSigningKeyId } from './util'
 
 export type AppContextOptions = {
   db: Database
@@ -48,6 +49,7 @@ export class AppContext {
       poolIdleTimeoutMs: cfg.db.poolIdleTimeoutMs,
     })
     const signingKey = await Secp256k1Keypair.import(secrets.signingKeyHex)
+    const signingKeyId = await getSigningKeyId(db, signingKey.did())
     const appviewAgent = new AtpAgent({ service: cfg.appview.url })
     const pdsAgent = cfg.pds
       ? new AtpAgent({ service: cfg.pds.url })
@@ -72,6 +74,7 @@ export class AppContext {
 
     const modService = ModerationService.creator(
       signingKey,
+      signingKeyId,
       cfg,
       backgroundQueue,
       idResolver,
@@ -195,5 +198,4 @@ export class AppContext {
     }
   }
 }
-
 export default AppContext
diff --git a/packages/ozone/src/daemon/context.ts b/packages/ozone/src/daemon/context.ts
index c915f26abc0..0217b9a7bf3 100644
--- a/packages/ozone/src/daemon/context.ts
+++ b/packages/ozone/src/daemon/context.ts
@@ -8,6 +8,7 @@ import { EventReverser } from './event-reverser'
 import { ModerationService, ModerationServiceCreator } from '../mod-service'
 import { BackgroundQueue } from '../background'
 import { IdResolver } from '@atproto/identity'
+import { getSigningKeyId } from '../util'
 
 export type DaemonContextOptions = {
   db: Database
@@ -31,6 +32,7 @@ export class DaemonContext {
       schema: cfg.db.postgresSchema,
     })
     const signingKey = await Secp256k1Keypair.import(secrets.signingKeyHex)
+    const signingKeyId = await getSigningKeyId(db, signingKey.did())
 
     const appviewAgent = new AtpAgent({ service: cfg.appview.url })
     const createAuthHeaders = (aud: string) =>
@@ -52,6 +54,7 @@ export class DaemonContext {
 
     const modService = ModerationService.creator(
       signingKey,
+      signingKeyId,
       cfg,
       backgroundQueue,
       idResolver,
diff --git a/packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts b/packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts
index ae5f281bbf9..59e859faab6 100644
--- a/packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts
+++ b/packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts
@@ -8,11 +8,17 @@ export async function up(db: Kysely<unknown>): Promise<void> {
     .execute()
   await db.schema
     .alterTable('label')
-    .addColumn('signingKey', 'varchar')
+    .addColumn('signingKeyId', 'integer')
+    .execute()
+  await db.schema
+    .createTable('signing_key')
+    .addColumn('id', 'serial', (col) => col.primaryKey())
+    .addColumn('key', 'varchar', (col) => col.notNull().unique())
     .execute()
 }
 
 export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.dropTable('signing_key')
   await db.schema.alterTable('label').dropColumn('exp').execute()
   await db.schema.alterTable('label').dropColumn('sig').execute()
   await db.schema.alterTable('label').dropColumn('signingKey').execute()
diff --git a/packages/ozone/src/db/schema/index.ts b/packages/ozone/src/db/schema/index.ts
index b522a75ef9f..48e3f15cdc5 100644
--- a/packages/ozone/src/db/schema/index.ts
+++ b/packages/ozone/src/db/schema/index.ts
@@ -5,11 +5,13 @@ import * as repoPushEvent from './repo_push_event'
 import * as recordPushEvent from './record_push_event'
 import * as blobPushEvent from './blob_push_event'
 import * as label from './label'
+import * as signingKey from './signing_key'
 import * as communicationTemplate from './communication_template'
 
 export type DatabaseSchemaType = modEvent.PartialDB &
   modSubjectStatus.PartialDB &
   label.PartialDB &
+  signingKey.PartialDB &
   repoPushEvent.PartialDB &
   recordPushEvent.PartialDB &
   blobPushEvent.PartialDB &
diff --git a/packages/ozone/src/db/schema/label.ts b/packages/ozone/src/db/schema/label.ts
index 75bcd0adf52..58042478c8d 100644
--- a/packages/ozone/src/db/schema/label.ts
+++ b/packages/ozone/src/db/schema/label.ts
@@ -12,7 +12,7 @@ export interface Label {
   cts: string
   exp: string | null
   sig: Buffer | null
-  signingKey: string | null
+  signingKeyId: number | null
 }
 
 export type LabelRow = Selectable<Label>
diff --git a/packages/ozone/src/db/schema/signing_key.ts b/packages/ozone/src/db/schema/signing_key.ts
new file mode 100644
index 00000000000..654fae9bbfc
--- /dev/null
+++ b/packages/ozone/src/db/schema/signing_key.ts
@@ -0,0 +1,10 @@
+import { Generated } from 'kysely'
+
+export const tableName = 'signing_key'
+
+export interface SigningKey {
+  id: Generated<number>
+  key: string
+}
+
+export type PartialDB = { [tableName]: SigningKey }
diff --git a/packages/ozone/src/mod-service/index.ts b/packages/ozone/src/mod-service/index.ts
index e77466b5c28..5fc47c4a697 100644
--- a/packages/ozone/src/mod-service/index.ts
+++ b/packages/ozone/src/mod-service/index.ts
@@ -58,6 +58,7 @@ export class ModerationService {
   constructor(
     public db: Database,
     public signingKey: Keypair,
+    public signingKeyId: number,
     public cfg: OzoneConfig,
     public backgroundQueue: BackgroundQueue,
     public idResolver: IdResolver,
@@ -69,6 +70,7 @@ export class ModerationService {
 
   static creator(
     signingKey: Keypair,
+    signingKeyId: number,
     cfg: OzoneConfig,
     backgroundQueue: BackgroundQueue,
     idResolver: IdResolver,
@@ -81,6 +83,7 @@ export class ModerationService {
       new ModerationService(
         db,
         signingKey,
+        signingKeyId,
         cfg,
         backgroundQueue,
         idResolver,
@@ -94,7 +97,7 @@ export class ModerationService {
   views = new ModerationViews(
     this.db,
     this.signingKey,
-    this.backgroundQueue,
+    this.signingKeyId,
     this.appviewAgent,
     () => this.createAuthHeaders(this.cfg.appview.did),
   )
@@ -902,8 +905,7 @@ export class ModerationService {
     const signedLabels = await Promise.all(
       labels.map((l) => signLabel(l, this.signingKey)),
     )
-    const signingKey = this.signingKey.did()
-    const dbVals = signedLabels.map((l) => formatLabelRow(l, signingKey))
+    const dbVals = signedLabels.map((l) => formatLabelRow(l, this.signingKeyId))
     const { ref } = this.db.db.dynamic
     await sql`notify ${ref(LabelChannel)}`.execute(this.db.db)
     const excluded = (col: string) => ref(`excluded.${col}`)
diff --git a/packages/ozone/src/mod-service/util.ts b/packages/ozone/src/mod-service/util.ts
index c3f055380de..63939c27e64 100644
--- a/packages/ozone/src/mod-service/util.ts
+++ b/packages/ozone/src/mod-service/util.ts
@@ -21,7 +21,7 @@ export const formatLabel = (row: LabelRow): Label => {
 
 export const formatLabelRow = (
   label: Label,
-  signingKey?: string,
+  signingKeyId?: number,
 ): Omit<LabelRow, 'id'> => {
   return {
     src: label.src,
@@ -32,7 +32,7 @@ export const formatLabelRow = (
     cts: label.cts,
     exp: label.exp ?? null,
     sig: label.sig ? Buffer.from(label.sig) : null,
-    signingKey: signingKey ?? null,
+    signingKeyId: signingKeyId ?? null,
   }
 }
 
diff --git a/packages/ozone/src/mod-service/views.ts b/packages/ozone/src/mod-service/views.ts
index e00facd36e6..3aa9e4935c8 100644
--- a/packages/ozone/src/mod-service/views.ts
+++ b/packages/ozone/src/mod-service/views.ts
@@ -27,7 +27,6 @@ import { REASONOTHER } from '../lexicon/types/com/atproto/moderation/defs'
 import { subjectFromEventRow, subjectFromStatusRow } from './subject'
 import { formatLabel, signLabel } from './util'
 import { LabelRow } from '../db/schema/label'
-import { BackgroundQueue } from '../background'
 import { dbLogger } from '../logger'
 import { httpLogger } from '../logger'
 
@@ -41,7 +40,7 @@ export class ModerationViews {
   constructor(
     private db: Database,
     private signingKey: Keypair,
-    private backgroundQueue: BackgroundQueue,
+    private signingKeyId: number,
     private appviewAgent: AtpAgent,
     private appviewAuth: () => Promise<AuthHeaders>,
   ) {}
@@ -421,23 +420,20 @@ export class ModerationViews {
   }
 
   async formatLabelAndEnsureSig(row: LabelRow) {
-    const signingKey = this.signingKey.did()
     const formatted = formatLabel(row)
-    if (!!row.sig && row.signingKey === signingKey) {
+    if (!!row.sig && row.signingKeyId === this.signingKeyId) {
       return formatted
     }
     const signed = await signLabel(formatted, this.signingKey)
-    this.backgroundQueue.add(async (db) => {
-      try {
-        await db.db
-          .updateTable('label')
-          .set({ sig: Buffer.from(signed.sig), signingKey })
-          .where('id', '=', row.id)
-          .execute()
-      } catch (err) {
-        dbLogger.error({ err, label: row }, 'failed to update resigned label')
-      }
-    })
+    try {
+      await this.db.db
+        .updateTable('label')
+        .set({ sig: Buffer.from(signed.sig), signingKeyId: this.signingKeyId })
+        .where('id', '=', row.id)
+        .execute()
+    } catch (err) {
+      dbLogger.error({ err, label: row }, 'failed to update resigned label')
+    }
     return signed
   }
 
diff --git a/packages/ozone/src/util.ts b/packages/ozone/src/util.ts
index ab96998642a..8ce6df40157 100644
--- a/packages/ozone/src/util.ts
+++ b/packages/ozone/src/util.ts
@@ -1,6 +1,27 @@
 import { AxiosError } from 'axios'
 import { XRPCError, ResponseType } from '@atproto/xrpc'
 import { RetryOptions, retry } from '@atproto/common'
+import Database from './db'
+
+export const getSigningKeyId = async (
+  db: Database,
+  signingKey: string,
+): Promise<number> => {
+  const selectRes = await db.db
+    .selectFrom('signing_key')
+    .selectAll()
+    .where('key', '=', signingKey)
+    .executeTakeFirst()
+  if (selectRes) {
+    return selectRes.id
+  }
+  const insertRes = await db.db
+    .insertInto('signing_key')
+    .values({ key: signingKey })
+    .returningAll()
+    .executeTakeFirstOrThrow()
+  return insertRes.id
+}
 
 export async function retryHttp<T>(
   fn: () => Promise<T>,
diff --git a/packages/ozone/tests/query-labels.test.ts b/packages/ozone/tests/query-labels.test.ts
index 3e8a26deae2..e8f49a5e53c 100644
--- a/packages/ozone/tests/query-labels.test.ts
+++ b/packages/ozone/tests/query-labels.test.ts
@@ -10,6 +10,7 @@ import {
   OutputSchema as LabelMessage,
   isLabels,
 } from '../src/lexicon/types/com/atproto/label/subscribeLabels'
+import { getSigningKeyId } from '../src/util'
 
 describe('ozone query labels', () => {
   let network: TestNetwork
@@ -154,9 +155,11 @@ describe('ozone query labels', () => {
 
     const modSrvc = ctx.modService(ctx.db)
     const newSigningKey = await Secp256k1Keypair.create()
+    const newSigningKeyId = await getSigningKeyId(ctx.db, newSigningKey.did())
     ctx.devOverride({
       modService: ModerationService.creator(
         newSigningKey,
+        newSigningKeyId,
         ctx.cfg,
         modSrvc.backgroundQueue,
         ctx.idResolver,
@@ -186,7 +189,7 @@ describe('ozone query labels', () => {
     await network.ozone.processAll()
 
     const fromDb = await ctx.db.db.selectFrom('label').selectAll().execute()
-    expect(fromDb.every((row) => row.signingKey === newSigningKey.did())).toBe(
+    expect(fromDb.every((row) => row.signingKeyId === newSigningKeyId)).toBe(
       true,
     )