diff --git a/src/storage.c b/src/storage.c
index b2c5ed48..4200030c 100644
--- a/src/storage.c
+++ b/src/storage.c
@@ -53,7 +53,7 @@
 #define STORAGE_FILE_MODE (S_IRUSR | S_IWUSR)
 
 #define KNOWN_FREQ_FILENAME ".known_network.freq"
-#define TLS_CACHE_FILENAME ".tls-session-cache"
+#define EAP_TLS_CACHE_FILENAME ".eap-tls-session-cache"
 
 static char *storage_path = NULL;
 static char *storage_hotspot_path = NULL;
@@ -702,29 +702,35 @@ void storage_known_frequencies_sync(struct l_settings *known_freqs)
 	l_free(known_freq_file_path);
 }
 
-struct l_settings *storage_tls_session_cache_load(void)
+struct l_settings *storage_eap_tls_cache_load(void)
 {
-	_auto_(l_settings_free) struct l_settings *cache = l_settings_new();
-	_auto_(l_free) char *tls_cache_file_path =
-		storage_get_path("%s", TLS_CACHE_FILENAME);
+	_auto_(l_free) char *path =
+		storage_get_path("%s", EAP_TLS_CACHE_FILENAME);
+	struct l_settings *cache = l_settings_new();
 
-	if (unlikely(!l_settings_load_from_file(cache, tls_cache_file_path)))
-		return NULL;
+	if (!l_settings_load_from_file(cache, path))
+		l_debug("No session cache loaded from %s, starting with an "
+			"empty cache", path);
 
-	return l_steal_ptr(cache);
+	return cache;
 }
 
-void storage_tls_session_cache_sync(struct l_settings *cache)
+void storage_eap_tls_cache_sync(const struct l_settings *cache)
 {
-	_auto_(l_free) char *tls_cache_file_path = NULL;
+	_auto_(l_free) char *path =
+		storage_get_path("%s", EAP_TLS_CACHE_FILENAME);
+	_auto_(l_free) char *settings_data = NULL;
 	_auto_(l_free) char *data = NULL;
 	size_t len;
+	static const char comment[] =
+		"# External changes to this file are not tracked by IWD "
+		"and will be overwritten.\n\n";
+	static const size_t comment_len = L_ARRAY_SIZE(comment) - 1;
 
-	if (!cache)
-		return;
-
-	tls_cache_file_path = storage_get_path("%s", TLS_CACHE_FILENAME);
-	data = l_settings_to_data(cache, &len);
+	settings_data = l_settings_to_data(cache, &len);
+	data = l_malloc(comment_len + len);
+	memcpy(data, comment, comment_len);
+	memcpy(data + comment_len, settings_data, len);
 
 	/*
 	 * Note this data contains cryptographic secrets.  write_file()
@@ -732,7 +738,8 @@ void storage_tls_session_cache_sync(struct l_settings *cache)
 	 *
 	 * TODO: consider encrypting with system_key.
 	 */
-	write_file(data, len, false, "%s", tls_cache_file_path);
+	write_file(data, comment_len + len, false, "%s", path);
+	explicit_bzero(settings_data, len);
 	explicit_bzero(data, len);
 }
 
diff --git a/src/storage.h b/src/storage.h
index fe6ddbf5..04b50882 100644
--- a/src/storage.h
+++ b/src/storage.h
@@ -51,8 +51,8 @@ int storage_network_remove(enum security type, const char *ssid);
 struct l_settings *storage_known_frequencies_load(void);
 void storage_known_frequencies_sync(struct l_settings *known_freqs);
 
-struct l_settings *storage_tls_session_cache_load(void);
-void storage_tls_session_cache_sync(struct l_settings *cache);
+struct l_settings *storage_eap_tls_cache_load(void);
+void storage_eap_tls_cache_sync(const struct l_settings *cache);
 
 int __storage_decrypt(struct l_settings *settings, const char *ssid,
 				bool *changed);