diff --git a/changelog/15946.txt b/changelog/15946.txt
new file mode 100644
index 0000000000000..869f61a10cba6
--- /dev/null
+++ b/changelog/15946.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/seal: Fix possible keyring truncation when using the file backend.
+```
diff --git a/sdk/physical/file/file.go b/sdk/physical/file/file.go
index 320ee21caa91d..e5e64e6efa41f 100644
--- a/sdk/physical/file/file.go
+++ b/sdk/physical/file/file.go
@@ -242,8 +242,9 @@ func (b *FileBackend) PutInternal(ctx context.Context, entry *physical.Entry) er
 
 	// JSON encode the entry and write it
 	fullPath := filepath.Join(path, key)
+	tempPath := fullPath + ".temp"
 	f, err := os.OpenFile(
-		fullPath,
+		tempPath,
 		os.O_CREATE|os.O_TRUNC|os.O_WRONLY,
 		0o600)
 	if err != nil {
@@ -262,6 +263,10 @@ func (b *FileBackend) PutInternal(ctx context.Context, entry *physical.Entry) er
 	})
 	f.Close()
 	if encErr == nil {
+		err = os.Rename(tempPath, fullPath)
+		if err != nil {
+			return err
+		}
 		return nil
 	}
 
@@ -270,7 +275,7 @@ func (b *FileBackend) PutInternal(ctx context.Context, entry *physical.Entry) er
 	// See if we ended up with a zero-byte file and if so delete it, might be a
 	// case of disk being full but the file info is in metadata that is
 	// reserved.
-	fi, err := os.Stat(fullPath)
+	fi, err := os.Stat(tempPath)
 	if err != nil {
 		return encErr
 	}
@@ -278,7 +283,7 @@ func (b *FileBackend) PutInternal(ctx context.Context, entry *physical.Entry) er
 		return encErr
 	}
 	if fi.Size() == 0 {
-		os.Remove(fullPath)
+		os.Remove(tempPath)
 	}
 	return encErr
 }