diff --git a/machines/_base.nix b/machines/_base.nix
index 555666e..84abb5c 100644
--- a/machines/_base.nix
+++ b/machines/_base.nix
@@ -41,6 +41,8 @@ in {
       manageHostName = true;
     };
 
+    age.secrets.root_pw.file = ../secrets/base/root_pass.age;
+
     nix = {
       settings = {
         # flakes are essensial
@@ -72,23 +74,27 @@ in {
       settings.PermitRootLogin = "prohibit-password";
     };
 
-    users.users.root = {
-      initialHashedPassword = "$y$j9T$lf/Z1Db.lAXan2WN/YQEF.$ILMN5CK4eImzrioB04D.VgD7wrV2rwUjcTi..WE5ea6";
+    users = {
+      mutableUsers = false;
 
-      openssh.authorizedKeys.keys = [
-        # no obligation to have name attached to keys
+      users.root = {
+        hashedPasswordFile = config.age.secrets.root_pw.path;
 
-        # Root account
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
+        openssh.authorizedKeys.keys = [
+          # no obligation to have name attached to keys
 
-        # CI/CD key
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
+          # Root account
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
 
-        # Brendan Golden
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
+          # CI/CD key
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
 
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
-      ];
+          # Brendan Golden
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
+
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
+        ];
+      };
     };
 
     # skynet-admin-linux will always be added, individual servers can override the groups option
diff --git a/secrets/base/root_pass.age b/secrets/base/root_pass.age
new file mode 100644
index 0000000..2313336
Binary files /dev/null and b/secrets/base/root_pass.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index db5670f..5321af2 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -105,6 +105,7 @@ let
   ];
 in {
   # nix run github:ryantm/agenix -- -e secret1.age
+  "base/root_pass.age".publicKeys = users ++ systems;
 
   "dns_certs.secret.age".publicKeys = users ++ systems;
   "dns_dnskeys.conf.age".publicKeys = users ++ dns;