diff --git a/nixos/machines/biskcomp.nix b/nixos/machines/biskcomp.nix
index c0aaed80..9f4e92e1 100644
--- a/nixos/machines/biskcomp.nix
+++ b/nixos/machines/biskcomp.nix
@@ -39,9 +39,15 @@ in
   };
   services.k3s.disableAgent = true;
 
+  age.secrets.vaultwarden-environment-file = {
+    file = ../secrets/vaultwarden-environment-file.age;
+    owner = "vaultwarden";
+  };
+
   services.vaultwarden = {
     enable = true;
     backupDir = "/var/backup/vaultwarden";
+    environmentFile = config.age.secrets.vaultwarden-environment-file.path;
     config = {
       ROCKET_ADDRESS = "::1";
       ROCKET_PORT = 8222;
diff --git a/nixos/secrets/secrets.nix b/nixos/secrets/secrets.nix
index 1d907690..f425bd48 100644
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
@@ -19,4 +19,5 @@ in
   "k3s-registry.yaml.age".publicKeys = keys.agenixKeys ++ keys.railbird-sf;
   "discourse-admin-password.age".publicKeys = keys.hostKeys;
   "discourse-secret-key-base.age".publicKeys = keys.hostKeys;
+  "vaultwarden-environment-file.age".publicKeys = keys.hostKeys;
 }
diff --git a/nixos/secrets/vaultwarden-environment-file.age b/nixos/secrets/vaultwarden-environment-file.age
new file mode 100644
index 00000000..efcfa344
Binary files /dev/null and b/nixos/secrets/vaultwarden-environment-file.age differ