diff --git a/base/users.nix b/base/users.nix
index 263163f..2af640f 100644
--- a/base/users.nix
+++ b/base/users.nix
@@ -5,10 +5,10 @@ in
 {
   users.mutableUsers = false;
   users.users.root = {
-    hashedPassword = secrets.shadow-hashed-password-root;
+    passwordFile = config.age.secrets."users/root-hashed-password".path;
   };
   users.users.alarsyo = {
-    hashedPassword = secrets.shadow-hashed-password-alarsyo;
+    passwordFile = config.age.secrets."users/alarsyo-hashed-password".path;
     isNormalUser = true;
     extraGroups = [
       "media"
diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix
index 0236f1d..ef8f38a 100644
--- a/hosts/zephyrus/default.nix
+++ b/hosts/zephyrus/default.nix
@@ -3,9 +3,6 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, lib, pkgs, ... }:
-let
-  secrets = config.my.secrets;
-in
 {
   imports =
     [ # Include the results of the hardware scan.
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 5998d31..0a0d1cd 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -13,4 +13,7 @@ in
 {
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
   "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
+
+  "users/root-hashed-password.age".publicKeys = machines;
+  "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }
diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age
new file mode 100644
index 0000000..9d80aa7
Binary files /dev/null and b/modules/secrets/users/alarsyo-hashed-password.age differ
diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age
new file mode 100644
index 0000000..b0ef183
Binary files /dev/null and b/modules/secrets/users/root-hashed-password.age differ
diff --git a/services/restic-backup.nix b/services/restic-backup.nix
index 8d57f5c..66e531c 100644
--- a/services/restic-backup.nix
+++ b/services/restic-backup.nix
@@ -11,7 +11,6 @@ let
   ;
 
   cfg = config.my.services.restic-backup;
-  secrets = config.my.secrets;
   excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude));
   makePruneOpts = pruneOpts:
     attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts;
diff --git a/zephyrus.nix b/zephyrus.nix
index e355eb3..ed011ae 100644
--- a/zephyrus.nix
+++ b/zephyrus.nix
@@ -10,9 +10,6 @@
     # Service definitions
     ./services
 
-    # Configuration secrets
-    ./secrets
-
     # Host-specific config
     ./hosts/zephyrus
   ];