diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix
index 2794fff7..6174bf33 100644
--- a/machines/modules/disko/default.nix
+++ b/machines/modules/disko/default.nix
@@ -187,6 +187,7 @@ in
               postCreateHook = lib.mkIf cfg.encryption ''
                 zfs set keylocation="prompt" zroot/encrypted;
               '';
+
             };
             "encrypted/root" = {
               type = "zfs_fs";
@@ -244,13 +245,12 @@ in
               };
               # use this to read the key during boot
               postCreateHook = lib.mkIf cfg.encryption ''
-                zfs set keylocation="prompt" storage/encrypted;
+                zfs set keylocation="file:///root/secret.key" storage/encrypted;
               '';
             };
             "encrypted/data" = {
               type = "zfs_fs";
               mountpoint = "/data";
-              options.mountpoint = "legacy";
             };
             reserved = {
               # for cow delete if pool is full
@@ -267,7 +267,7 @@ in
     };
 
     boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
-
+    boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
     fileSystems."/".neededForBoot = true;
     fileSystems."/etc".neededForBoot = true;
     fileSystems."/boot".neededForBoot = true;
diff --git a/machines/modules/malobeo/initssh.nix b/machines/modules/malobeo/initssh.nix
index 8286084f..6a68622c 100644
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -30,9 +30,7 @@ in
       loader.efi.canTouchEfiVariables = true;
       supportedFilesystems = [ "vfat" "zfs" ];
       zfs = {
-        forceImportAll = true;
         requestEncryptionCredentials = true;
-        
       };
       initrd = {
         availableKernelModules = cfg.ethernetDrivers;
diff --git a/machines/testvm/configuration.nix b/machines/testvm/configuration.nix
index b338fbca..003a0178 100644
--- a/machines/testvm/configuration.nix
+++ b/machines/testvm/configuration.nix
@@ -24,7 +24,7 @@ in
 
   malobeo.disks = {
     enable = true;
-    encryption = false;
+    encryption = true;
     hostId = "83abc8cb";
     devNodes = "/dev/disk/by-path/";
     root = {
diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh
index 07331a87..277f5194 100755
--- a/scripts/remote-install-encrypt.sh
+++ b/scripts/remote-install-encrypt.sh
@@ -37,9 +37,11 @@ trap cleanup EXIT
 
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
+install -d -m755 "$temp/root/"
 
 diskKey=$(sops -d machines/$hostname/disk.key)
 echo "$diskKey" > /tmp/secret.key
+echo "$diskKey" > $temp/root/secret.key
 
 ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
 ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""