diff --git a/agent/installer.go b/agent/installer.go
index fbd63a59d8b..daf12fe062d 100644
--- a/agent/installer.go
+++ b/agent/installer.go
@@ -14,7 +14,7 @@ import (
 )
 
 const (
-	agentEnvFile     = "/etc/shellhub-agent.env"
+	agentEnvFile     = "/etc/shellhub-agent/shellhub-agent.env"
 	agentServiceFile = "/etc/systemd/system/shellhub-agent.service"
 	agentServiceName = "shellhub-agent"
 )
@@ -26,7 +26,7 @@ Wants=network-online.target
 Requires=local-fs.target
 
 [Service]
-EnvironmentFile=/etc/shellhub-agent.env
+EnvironmentFile=/etc/shellhub-agent/shellhub-agent.env
 ExecStart={{.BinaryPath}}
 Restart=on-failure
 RestartSec=5
@@ -83,12 +83,12 @@ func registerInstallerCommands(rootCmd *cobra.Command) {
 
 	installCmd.Flags().String("server-address", "", "ShellHub server address")
 	installCmd.Flags().String("tenant-id", "", "Namespace tenant ID")
-	installCmd.Flags().String("private-key", "/etc/shellhub.key", "Path to the agent private key file")
+	installCmd.Flags().String("private-key", "/etc/shellhub-agent/shellhub.key", "Path to the agent private key file")
 	installCmd.Flags().String("preferred-hostname", "", "Preferred device hostname")
 	installCmd.Flags().String("preferred-identity", "", "Preferred device identity")
 	installCmd.Flags().Uint("keepalive-interval", 30, "Keepalive interval in seconds")
 	installCmd.MarkFlagRequired("server-address") //nolint:errcheck
-	installCmd.MarkFlagRequired("tenant-id")       //nolint:errcheck
+	installCmd.MarkFlagRequired("tenant-id")      //nolint:errcheck
 
 	rootCmd.AddCommand(installCmd)
 
@@ -117,9 +117,9 @@ func agentInstall(cfg installerConfig) error {
 		return fmt.Errorf("systemd is not available on this system")
 	}
 
-	// Stop existing service before overwriting files (re-install / upgrade).
-	// Ignore error — service may not exist yet.
-	exec.Command("systemctl", "disable", "--now", agentServiceName).Run() //nolint:errcheck
+	// Best practice would be to disable service here before install/upgrade
+	// If upgrade performed over tunnel, ssh session disconnect, binary gets sighup.
+	// Service will restart at end of install/upgrade
 
 	exe, err := os.Executable()
 	if err != nil {
@@ -131,6 +131,10 @@ func agentInstall(cfg installerConfig) error {
 		return fmt.Errorf("failed to resolve symlinks: %w", err)
 	}
 
+	if err := os.MkdirAll(filepath.Dir(agentEnvFile), 0755); err != nil {
+		return fmt.Errorf("failed to create directory %s: %w", filepath.Dir(agentEnvFile), err)
+	}
+
 	if err := writeAgentEnvFile(cfg); err != nil {
 		return fmt.Errorf("failed to write env file: %w", err)
 	}
@@ -143,10 +147,16 @@ func agentInstall(cfg installerConfig) error {
 		return fmt.Errorf("failed to reload systemd daemon: %w", err)
 	}
 
-	if err := exec.Command("systemctl", "enable", "--now", agentServiceName).Run(); err != nil {
+	// For upgrade over tunnel support, just enable service, service reboot later
+	if err := exec.Command("systemctl", "enable", agentServiceName).Run(); err != nil {
 		return fmt.Errorf("failed to enable service: %w", err)
 	}
 
+	// Restarts service to upgraded binary, session dies but tunnel remains active.
+	if err := exec.Command("systemctl", "restart", agentServiceName).Run(); err != nil {
+		return fmt.Errorf("failed to restart service: %w", err)
+	}
+
 	return nil
 }
 
diff --git a/agent/packaging/config.json b/agent/packaging/config.json
index 7df4c91cf84..b03de6309f4 100644
--- a/agent/packaging/config.json
+++ b/agent/packaging/config.json
@@ -16,7 +16,7 @@
             "__PREFERRED_HOSTNAME__",
             "__PREFERRED_IDENTITY__",
             "__KEEPALIVE_INTERVAL__",
-            "SHELLHUB_PRIVATE_KEY=/host/etc/shellhub.key"
+            "SHELLHUB_PRIVATE_KEY=/host/etc/shellhub-agent/shellhub.key"
         ],
         "cwd": "/",
         "capabilities": {
diff --git a/install.sh b/install.sh
index 08fa0aff262..b5fb829e9a3 100755
--- a/install.sh
+++ b/install.sh
@@ -39,7 +39,7 @@ podman_install() {
   esac
 
   if [ -z "$MODE" ]; then
-    ARGS="$ARGS -e SHELLHUB_PRIVATE_KEY=${PRIVATE_KEY:-/host/etc/shellhub.key}"
+    ARGS="$ARGS -e SHELLHUB_PRIVATE_KEY=${PRIVATE_KEY:-/host/etc/shellhub-agent/shellhub.key}"
 
     echo "🚀 Starting ShellHub container in Agent mode..."
   fi
@@ -106,7 +106,7 @@ docker_install() {
   esac
 
   if [ -z "$MODE" ]; then
-    ARGS="$ARGS -e SHELLHUB_PRIVATE_KEY=${PRIVATE_KEY:-/host/etc/shellhub.key}"
+    ARGS="$ARGS -e SHELLHUB_PRIVATE_KEY=${PRIVATE_KEY:-/host/etc/shellhub-agent/shellhub.key}"
 
     echo "🚀 Starting ShellHub container in Agent mode..."
   fi
@@ -165,7 +165,7 @@ snap_install() {
 
     sudo snap set shellhub server-address="$SERVER_ADDRESS"
     sudo snap set shellhub tenant-id="$TENANT_ID"
-    sudo snap set shellhub private-key="${PRIVATE_KEY:-/etc/shellhub.key}"
+    sudo snap set shellhub private-key="${PRIVATE_KEY:-/etc/shellhub-agent/shellhub.key}"
 
     sudo snap start shellhub
   } || {