diff --git a/hosts/nullbox/configuration.nix b/hosts/nullbox/configuration.nix
index 8dab31c..f59f3cc 100644
--- a/hosts/nullbox/configuration.nix
+++ b/hosts/nullbox/configuration.nix
@@ -10,6 +10,8 @@
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      # Encryption
+      ./luks.nix
     ];
 
   config = {
@@ -54,16 +56,6 @@
       packageSets.gaming.enable = true;
     };
 
-    # cryptsetup
-    boot.initrd.luks.devices = {
-      lvmroot = {
-        device="/dev/disk/by-uuid/85b5f22e-0fa5-4f0d-8fba-f800a0b41671";
-        allowDiscards = true;
-        fallbackToPassword = true;
-        preLVM = true;
-      };
-    };
-
     # bootloader setup
     boot.loader = {
       efi = {
diff --git a/hosts/nullbox/luks.nix b/hosts/nullbox/luks.nix
new file mode 100644
index 0000000..796bf07
--- /dev/null
+++ b/hosts/nullbox/luks.nix
@@ -0,0 +1,27 @@
+{ pkgs, config, lib, ... }:
+let
+  usb = "903D-DF5B";
+in
+{
+  config = {
+    # cryptsetup
+    boot.initrd.kernelModules = ["uas" "usbcore" "usb_storage"];
+    boot.initrd.supportedFilesystems = ["vfat"];
+
+    boot.initrd.luks.devices = {
+      lvmroot = {
+        preOpenCommands = ''
+          mkdir -m 0755 /key
+          sleep 1
+          mount -n -t vfat -o ro `findfs UUID=${usb}` /key
+        '';
+
+        device="/dev/disk/by-uuid/85b5f22e-0fa5-4f0d-8fba-f800a0b41671";
+        keyFile = "/key/image.png"; # yes it's literally an image file. bite me
+        allowDiscards = true;
+        fallbackToPassword = true;
+        preLVM = true;
+      };
+    };
+  };
+}