diff --git a/.sops.yaml b/.sops.yaml
index f8fd265c..b3cef0bd 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,28 +1,30 @@
 keys:
-  - &lotte age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
+  - &base age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
   - &not522 age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa
   - &pc-installer age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg
+  - &root age1pcdyf483yl2r8wny30yxsp9yusgder6vra7yrf7qjqn5fjhcxeaq3342ew
+  - &darkkirb age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u
 
 creation_rules:
   - path_regex: machine/not522/secrets\.yaml$
     key_groups:
       - age:
           - *not522
-          - *lotte
+          - *base
   - path_regex: services/tailscale\.yaml$
     key_groups:
       - age:
           - *not522
-          - *lotte
-  - path_regex: users/root/password\.yaml$
+          - *base
+  - path_regex: users/root/system\.yaml$
     key_groups:
       - age:
           - *not522
-          - *lotte
+          - *base
           - *pc-installer
-  - path_regex: users/darkkirb/password\.yaml$
+  - path_regex: users/darkkirb/system\.yaml$
     key_groups:
       - age:
           - *not522
-          - *lotte
+          - *base
           - *pc-installer
diff --git a/users/darkkirb/default.nix b/users/darkkirb/default.nix
index 9a6e1235..89f3900a 100644
--- a/users/darkkirb/default.nix
+++ b/users/darkkirb/default.nix
@@ -10,7 +10,12 @@
   };
   sops.secrets."users/users/darkkirb/hashedPassword" = {
     neededForUsers = true;
-    sopsFile = ./password.yaml;
+    sopsFile = ./system.yaml;
   };
+  sops.secrets."users/users/darkkirb/age-key" = {
+    owner = "darkkirb";
+    sopsFile = ./system.yaml;
+  };
+  home-manager.users.darkkirb.sops.age.keyFile = config.sops.secrets."users/users/darkkirb/age-key".path;
   environment.impermanence.users = ["darkkirb"];
 }
diff --git a/users/darkkirb/password.yaml b/users/darkkirb/system.yaml
similarity index 75%
rename from users/darkkirb/password.yaml
rename to users/darkkirb/system.yaml
index cbbc1076..074fe685 100644
--- a/users/darkkirb/password.yaml
+++ b/users/darkkirb/system.yaml
@@ -2,6 +2,7 @@ users:
     users:
         darkkirb:
             hashedPassword: ENC[AES256_GCM,data:mDfXEfKTORaTOKubl1To093Hd4elXfGih69RX8LKsKsVZjQ01gT9vCLZMbdo9k7A7fonQWunxcpla9mMPo6DFeJrF4rzhJfLJgp3/EODtG9RAKKzy3X/E0nsygrvK8BxErryJG026wrL5g==,iv:VyyMIUqv6TDl+Gm7P9gEJbnsxHHcgJsn+Gh7SD2SeT8=,tag:mH4PNVSCv4fc9MLtlvIaVQ==,type:str]
+            age-key: ENC[AES256_GCM,data:sDT+jQEBKHXzmCOJ/yq7Cn43ILECbvuSfikDlSZUObX7p6n9fNTh+uNfBxzPZfxPxkoR5ex9cKYJPo/faTuSIygkLvdRIihY0jfJmSi/BYTaQ2ReDpB/djVNC7hzqhJoTxMfHkBBdYeqpj3KFD1+eSCA04w+oFUe12zJIrbtEok2H4qm6KAtlsHKH/iWxkJ95bWCouwzKsREM1pJJ/bKOe5pSqquAGQ7VIm1ZAL532Rj2ET0ExFGIonijw9l,iv:K3tJLhgAo3tFKemp56gXcXqjdl1YP2xTzmKJB0JSD6E=,tag:ENEzSIyR8cCAO3utLBORZw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -35,8 +36,8 @@ sops:
             Vjd0QkU2VnhQcFJ2VTlNeTdRTmhmUU0KCM3KWpVDIjXS1nIuVwofFFudqiIgQ/DM
             rBgk0yrx401kz248eazRjXrf5QIpYG+2OJ/WlE7/SiQ9IOluoAAk7w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-05T08:08:48Z"
-    mac: ENC[AES256_GCM,data:ZBP0CQTG8Wojh368lX9jNziuOIe9M/1MUjDvH30G96w+mCMa3fp4nmXOPV8DbsATgphJ5To+pZjk+heX72aaTx47jF03vGq2jAMp2gndG4N6R9Zb+UcoHVnyE+Q24PtvRmqcBkQS/Hz1vFUPlpEwKLw8h6ct0DDqalrZ18Ra5HQ=,iv:yIznbjO4o/M+tNcUeSsjHJrky6k+1xVbMwA6/Pngq1I=,tag:p60YYm2QJ+NBhQ/DOhJZzQ==,type:str]
+    lastmodified: "2024-11-06T08:34:00Z"
+    mac: ENC[AES256_GCM,data:kb6SOv5juzL1GjGye3SHF9BSlsxWEoMwjOGd+g1xz0aRLZAtEkeN7ZS1a6rO1C9PyQOQdWGZ59NU5k7BftgA4+mWnkgyQtxpb8e2KwcDnkSE+kMYxPgufzuS4L46jkmbTHACItVowja0Qd1Z0fUlUkAzego6bmgPd0hM8s4ZSX4=,iv:SBrFNNVpEBhuybtzQpl8hNx+osyCR42OU5E//sAE2gQ=,tag:7ZAGK//NCxcWl0lx5vrLmQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1
diff --git a/users/home-manager.nix b/users/home-manager.nix
index b7e78c4e..f99c7ab1 100644
--- a/users/home-manager.nix
+++ b/users/home-manager.nix
@@ -3,6 +3,7 @@
   inputs,
   inputs',
   config,
+  sops-nix,
   ...
 }: {
   home-manager = {
@@ -18,6 +19,7 @@
     sharedModules = [
       ./common
       "${impermanence}/home-manager.nix"
+      sops-nix.homeManagerModules.sops
     ];
   };
 }
diff --git a/users/root/default.nix b/users/root/default.nix
index a9692ccc..ebd66dfa 100644
--- a/users/root/default.nix
+++ b/users/root/default.nix
@@ -8,7 +8,12 @@
   };
   sops.secrets."users/users/root/hashedPassword" = {
     neededForUsers = true;
-    sopsFile = ./password.yaml;
+    sopsFile = ./system.yaml;
   };
+  sops.secrets."users/users/root/age-key" = {
+    owner = "root";
+    sopsFile = ./system.yaml;
+  };
+  home-manager.users.root.sops.age.keyFile = config.sops.secrets."users/users/root/age-key".path;
   environment.impermanence.users = ["root"];
 }
diff --git a/users/root/password.yaml b/users/root/system.yaml
similarity index 75%
rename from users/root/password.yaml
rename to users/root/system.yaml
index 5760b994..0a4461d5 100644
--- a/users/root/password.yaml
+++ b/users/root/system.yaml
@@ -2,6 +2,7 @@ users:
     users:
         root:
             hashedPassword: ENC[AES256_GCM,data:ptHTZ/MHRId363TlEWNJpOMQ46dISPSQjvrqsxQzq9hmDU3oC0FO9Mtf08I9wcVa0KpIEQfSZp/AgZ7yburK9EpfBccwudRdzpCBynsRYxhbuirSAm4ANaBLyrYx1jsCXFbeNDA4xsrmfw==,iv:WIG8qv7vAIUN8MMPkPKc9sjG1CQMYk03/C2TYSDs9zY=,tag:9Vm8Grn2AtME0O329N60Bw==,type:str]
+            age-key: ENC[AES256_GCM,data:A0G/R9o2Qray5kk7lqwu00EOJD0mRQ5cYWRDBzvw0gMTIq+JU16m5QrXLgzK3M/oURxPbBUOC+Wy7ZdiPAHVj5i353bsVLzGi6wIuwQpL2HA0RUwcos/bBnPTcvRriErBIpMYxgkxEVvgb4NpS0523V09AiXgX5DSY/z6pmQ1ERtXl1YRW+lCRqewgUUweC4WE31iG82NDOXkPZM+oaFginQeUy0Ruy4Kya4xQjC/+pzbxRdJwQKGkf/5fLl,iv:1TnvWbolHgQgOMmOBxpqxUlKmD14oCd+Yo/Jn2AHuL8=,tag:ML2ifWFpzHHxJ4F2OQ3+jA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -35,8 +36,8 @@ sops:
             MGg3ZUxqcnhzbiszb2RNVkkwNUNIbHcK/NdUErDE9xecelLx1i0MjZCKkdev+hdx
             ZWwQORih0fGotN9FjFQuBTc4Y0ApRy8Su52xCp1UOqM0FhnaHjwEQQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-29T13:48:11Z"
-    mac: ENC[AES256_GCM,data:fNxQFhopRt4cf8tepyYuePCwIwOozf1gOgO3ixhyuZqpnWAt5ng7p8BoKyeigRDvIanBsbUQ8MtuEfIfBSEYzgAeAihODIyuSmsq72sqE1Jfm77Yq8HpeUQxYGEtDND3awx/wEcgpumnNXS9UzAJVh0Un5yY1mUA/E2fYpdVRX0=,iv:Kh9oUpyK83xxfG8OVs2jgxlJDIRiyKuQVgPNEiFdT7A=,tag:CXyRtYHHgD0+INnyEcC6rg==,type:str]
+    lastmodified: "2024-11-06T08:34:07Z"
+    mac: ENC[AES256_GCM,data:U3+GUzxyPL7infWqht48rQ7Oe7E7Fu3WU883VZjJSKLM46ilDf0mWhpIWX7JDwhFzii/fSyF3+FsJvBDD4bcnK8L0UiS7C9z6yH9RGtOXI6is6jitfgm4qOuPP+aZa99hEDUf/ZO5uEzE/Psayf4aVAxEyL3L+SgVdiWf2MIFmk=,iv:XQavrryRBHnSf/xPMGY/lk/ep1qdRdgDtzUVwde4vXE=,tag:yWScrP9lTH1SiHpUiQuAXw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1