diff --git a/lass/1systems/hilum/disk.nix b/lass/1systems/hilum/disk.nix
index 4a7253bab..926401648 100644
--- a/lass/1systems/hilum/disk.nix
+++ b/lass/1systems/hilum/disk.nix
@@ -1,4 +1,4 @@
-{ lib, disk, ... }:
+{ lib, disk, keyFile, ... }:
 {
   disk = {
     main = {
@@ -37,7 +37,7 @@
             content = {
               type = "luks";
               name = "hilum_luks";
-              # keyFile = "/tmp/secret.key";
+              keyFile = keyFile;
               content = {
                 type = "filesystem";
                 format = "xfs";
diff --git a/lass/1systems/hilum/flash-stick.sh b/lass/1systems/hilum/flash-stick.sh
old mode 100644
new mode 100755
index 7b787f92a..17a5fc580
--- a/lass/1systems/hilum/flash-stick.sh
+++ b/lass/1systems/hilum/flash-stick.sh
@@ -4,14 +4,24 @@ set -efux
 disk=$1
 
 export NIXPKGS_ALLOW_UNFREE=1
+(umask 077; pass show admin/hilum/luks > /tmp/hilum.luks)
+trap 'rm -f /tmp/hilum.luks' EXIT
 stockholm_root=$(git rev-parse --show-toplevel)
 ssh root@localhost -t -- $(nix-build \
   --no-out-link \
   -I nixpkgs=/var/src/nixpkgs \
   -I stockholm="$stockholm_root" \
   -I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \
-  -E "with import <nixpkgs> {}; (pkgs.nixos [ { mainDisk = \"$disk\"; disko.rootMountPoint = \"/mnt/hilum\"; } ./physical.nix ]).mountScript"
+  -E "with import <nixpkgs> {}; (pkgs.nixos [
+    {
+      luksPassFile = \"/tmp/hilum.luks\";
+      mainDisk = \"$disk\";
+      disko.rootMountPoint = \"/mnt/hilum\";
+    }
+    ./physical.nix
+  ]).disko"
 )
+rm -f /tmp/hilum.luks
 $(nix-build \
   --no-out-link \
   -I nixpkgs=/var/src/nixpkgs \
@@ -21,7 +31,7 @@ $(nix-build \
   --arg force true
 )
 ssh root@localhost << SSH
-nixos-install --no-root-password --root /mnt/hilum -I /var/src
+NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-root-password --root /mnt/hilum -I /var/src
 nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader
 umount -Rv /mnt/hilum
 SSH
diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix
index e6860a496..f97873aa9 100644
--- a/lass/1systems/hilum/physical.nix
+++ b/lass/1systems/hilum/physical.nix
@@ -12,11 +12,18 @@
       };
       config.environment.etc.hilum-disk.text = config.mainDisk;
     }
+    {
+      options.luksPassFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+      };
+    }
   ];
 
   disko.devices = import ./disk.nix {
     inherit lib;
     disk = config.mainDisk;
+    keyFile = config.luksPassFile;
   };
 
   boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];