diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh
index 8266d3a4..fb18e870 100755
--- a/scripts/add_new_host_keys.sh
+++ b/scripts/add_new_host_keys.sh
@@ -16,13 +16,14 @@ if [ ! -e flake.nix ]
     done
 fi
 
+pwpath="machines/secrets/keys/itag"
 read -p "Enter new host name: " host
 
 if [ "$host" = "" ]; then exit 0
 fi
 
-mkdir -p machines/secrets/keys/itag/$host
-cd machines/secrets/keys/itag/$host
+mkdir -p $pwpath/$host
+cd $pwpath/$host
 
 # Generate SSH keys
 ssh-keygen -f "$host" -t ed25519 -N ""
@@ -33,8 +34,8 @@ sops -e -i ./"$host"
 sops -e -i ./"$host"-init
 
 #generate encryption key
-tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > encryption.txt
-sops -e -i ./encryption.txt
+tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
+sops -e -i ./disk.key
 
 # Info
 echo
diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh
index f0553c2f..6ec19c19 100755
--- a/scripts/remote-install-encrypt.sh
+++ b/scripts/remote-install-encrypt.sh
@@ -25,9 +25,7 @@ fi
 
 hostname=$1
 ipaddress=$2
-dbpath="./machines/secrets/keys/itag.kdbx"
-read -sp "Enter password for keepassxc: " pw
-
+pwpath="machines/secrets/keys/itag"
 
 # Create a temporary directory
 temp=$(mktemp -d)
@@ -42,13 +40,13 @@ trap cleanup EXIT
 install -d -m755 "$temp/etc/ssh/"
 install -d -m755 "$temp/root/"
 
-diskKey=$(echo "$pw" | keepassxc-cli show -a Password $dbpath hosts/$hostname/encryption)
+diskKey=$(sops -d $pwpath/$hostname/disk.key)
 echo "$diskKey" > /tmp/secret.key
 echo "$diskKey" > $temp/root/secret.key
 
-echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey private "$temp/etc/ssh/$hostname"
+sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname"
 
-echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey-init private "$temp/etc/ssh/initrd"
+sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd"
 
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh
index 347f260a..5d7c1803 100644
--- a/scripts/unlock-boot.sh
+++ b/scripts/unlock-boot.sh
@@ -19,15 +19,15 @@ if [ ! -e flake.nix ]
     done
 fi
 
+diskkey=$(sops -d machines/secrets/keys/itag/$HOSTNAME/disk.key)
+
 echo
 if [ $# = 1 ]
     then
-    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
     echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
 
 elif [ $# = 2 ]
     then
-    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
     IP=$2
     echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root