diff --git a/src/basic/env-file.c b/src/basic/env-file.c
index 5fe045018d..c2cbff4d84 100644
--- a/src/basic/env-file.c
+++ b/src/basic/env-file.c
@@ -603,7 +603,7 @@ static void write_env_var(FILE *f, const char *v) {
         fputc_unlocked('\n', f);
 }
 
-int write_env_file_at(int dir_fd, const char *fname, char **l) {
+int write_env_file(int dir_fd, const char *fname, char **headers, char **l) {
         _cleanup_fclose_ FILE *f = NULL;
         _cleanup_free_ char *p = NULL;
         int r;
@@ -617,6 +617,12 @@ int write_env_file_at(int dir_fd, const char *fname, char **l) {
 
         (void) fchmod_umask(fileno(f), 0644);
 
+        STRV_FOREACH(i, headers) {
+                assert(isempty(*i) || startswith(*i, "#"));
+                fputs_unlocked(*i, f);
+                fputc_unlocked('\n', f);
+        }
+
         STRV_FOREACH(i, l)
                 write_env_var(f, *i);
 
@@ -631,3 +637,11 @@ int write_env_file_at(int dir_fd, const char *fname, char **l) {
         (void) unlinkat(dir_fd, p, 0);
         return r;
 }
+
+int write_vconsole_conf(int dir_fd, const char *fname, char **l) {
+        char **headers = STRV_MAKE(
+                "# Written by systemd-localed(8) or systemd-firstboot(1), read by systemd-localed",
+                "# and systemd-vconsole-setup(8). Use localectl(1) to update this file.");
+
+        return write_env_file(dir_fd, fname, headers, l);
+}
diff --git a/src/basic/env-file.h b/src/basic/env-file.h
index 2465eeddf4..37db30765b 100644
--- a/src/basic/env-file.h
+++ b/src/basic/env-file.h
@@ -19,7 +19,6 @@ int load_env_file_pairs_fd(int fd, const char *fname, char ***ret);
 
 int merge_env_file(char ***env, FILE *f, const char *fname);
 
-int write_env_file_at(int dir_fd, const char *fname, char **l);
-static inline int write_env_file(const char *fname, char **l) {
-        return write_env_file_at(AT_FDCWD, fname, l);
-}
+int write_env_file(int dir_fd, const char *fname, char **headers, char **l);
+
+int write_vconsole_conf(int dir_fd, const char *fname, char **l);
diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
index 87a82df4ee..6cf7415a18 100644
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@@ -446,7 +446,7 @@ static int process_locale(int rfd) {
 
         locales[i] = NULL;
 
-        r = write_env_file_at(pfd, f, locales);
+        r = write_env_file(pfd, f, NULL, locales);
         if (r < 0)
                 return log_error_errno(r, "Failed to write /etc/locale.conf: %m");
 
@@ -534,7 +534,7 @@ static int process_keymap(int rfd) {
 
         keymap = STRV_MAKE(strjoina("KEYMAP=", arg_keymap));
 
-        r = write_env_file_at(pfd, f, keymap);
+        r = write_vconsole_conf(pfd, f, keymap);
         if (r < 0)
                 return log_error_errno(r, "Failed to write /etc/vconsole.conf: %m");
 
diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
index 85904aabe9..e1d53f2395 100644
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@@ -656,7 +656,7 @@ static int context_write_data_machine_info(Context *c) {
                 return 0;
         }
 
-        r = write_env_file_label("/etc/machine-info", l);
+        r = write_env_file_label(AT_FDCWD, "/etc/machine-info", NULL, l);
         if (r < 0)
                 return r;
 
diff --git a/src/locale/localed-util.c b/src/locale/localed-util.c
index d78b878cf9..e4e57a0f4a 100644
--- a/src/locale/localed-util.c
+++ b/src/locale/localed-util.c
@@ -532,7 +532,7 @@ int vconsole_write_data(Context *c) {
                 return 0;
         }
 
-        r = write_env_file_label("/etc/vconsole.conf", l);
+        r = write_vconsole_conf_label(l);
         if (r < 0)
                 return r;
 
@@ -568,7 +568,7 @@ int x11_write_data(Context *c) {
 
         fputs("# Written by systemd-localed(8), read by systemd-localed and Xorg. It's\n"
               "# probably wise not to edit this file manually. Use localectl(1) to\n"
-              "# instruct systemd-localed to update it.\n"
+              "# update this file.\n"
               "Section \"InputClass\"\n"
               "        Identifier \"system-keyboard\"\n"
               "        MatchIsKeyboard \"on\"\n", f);
diff --git a/src/shared/env-file-label.c b/src/shared/env-file-label.c
index 468afce2ba..5917b6377f 100644
--- a/src/shared/env-file-label.c
+++ b/src/shared/env-file-label.c
@@ -6,14 +6,28 @@
 #include "env-file.h"
 #include "selinux-util.h"
 
-int write_env_file_label(const char *fname, char **l) {
+int write_env_file_label(int dir_fd, const char *fname, char **headers, char **l) {
         int r;
 
         r = mac_selinux_create_file_prepare(fname, S_IFREG);
         if (r < 0)
                 return r;
 
-        r = write_env_file(fname, l);
+        r = write_env_file(dir_fd, fname, headers, l);
+
+        mac_selinux_create_file_clear();
+
+        return r;
+}
+
+int write_vconsole_conf_label(char **l) {
+        int r;
+
+        r = mac_selinux_create_file_prepare("/etc/vconsole.conf", S_IFREG);
+        if (r < 0)
+                return r;
+
+        r = write_vconsole_conf(AT_FDCWD, "/etc/vconsole.conf", l);
 
         mac_selinux_create_file_clear();
 
diff --git a/src/shared/env-file-label.h b/src/shared/env-file-label.h
index d68058ab2e..5ba45e4005 100644
--- a/src/shared/env-file-label.h
+++ b/src/shared/env-file-label.h
@@ -5,4 +5,6 @@
  * optimize linking: This way, -lselinux is needed only for the callers of these functions that need selinux, but not
  * for all */
 
-int write_env_file_label(const char *fname, char **l);
+int write_env_file_label(int dir_fd, const char *fname, char **headers, char **l);
+
+int write_vconsole_conf_label(char **l);
diff --git a/src/shared/locale-setup.c b/src/shared/locale-setup.c
index 8943a42c9d..4e7f486a23 100644
--- a/src/shared/locale-setup.c
+++ b/src/shared/locale-setup.c
@@ -208,7 +208,7 @@ int locale_context_save(LocaleContext *c, char ***ret_set, char ***ret_unset) {
                 return 0;
         }
 
-        r = write_env_file_label("/etc/locale.conf", set);
+        r = write_env_file_label(AT_FDCWD, "/etc/locale.conf", NULL, set);
         if (r < 0)
                 return r;
 
diff --git a/src/test/test-env-file.c b/src/test/test-env-file.c
index 6480e7beb3..3fc6d623fd 100644
--- a/src/test/test-env-file.c
+++ b/src/test/test-env-file.c
@@ -172,7 +172,7 @@ TEST(write_and_load_env_file) {
                 assert_se(tempfn_random_child(NULL, NULL, &p) >= 0);
 
                 assert_se(j = strjoin("TEST=", v));
-                assert_se(write_env_file(p, STRV_MAKE(j)) >= 0);
+                assert_se(write_env_file(AT_FDCWD, p, STRV_MAKE("# header 1", "", "# header 2"), STRV_MAKE(j)) >= 0);
 
                 assert_se(cmd = strjoin(". ", p, " && /bin/echo -n \"$TEST\""));
                 assert_se(f = popen(cmd, "re"));
diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c
index fd197ca622..d76a4ced91 100644
--- a/src/test/test-fileio.c
+++ b/src/test/test-fileio.c
@@ -145,7 +145,7 @@ TEST(parse_env_file) {
                 assert_se(fd >= 0);
         }
 
-        r = write_env_file(p, a);
+        r = write_env_file(AT_FDCWD, p, NULL, a);
         assert_se(r >= 0);
 
         r = load_env_file(NULL, p, &b);
@@ -208,7 +208,7 @@ TEST(parse_multiline_env_file) {
                 assert_se(fd >= 0);
         }
 
-        r = write_env_file(p, a);
+        r = write_env_file(AT_FDCWD, p, NULL, a);
         assert_se(r >= 0);
 
         r = load_env_file(NULL, p, &b);