diff --git a/curacao_usb/dk.nix b/curacao_usb/dk.nix
index 962cba1..afcae03 100644
--- a/curacao_usb/dk.nix
+++ b/curacao_usb/dk.nix
@@ -1 +1,2 @@
-import ../dk/single_uefi_btrfs.nix { id = "usb-Kingston_DataTraveler_3.0_E0D55EA57414F510489F0F1A-0:0"; name = "curacao_usb"; }
+{ ... } @ args:
+import ../dk/single_uefi_btrfs.nix (args // { id = "usb-Kingston_DataTraveler_3.0_E0D55EA57414F510489F0F1A-0:0"; name = "curacao_usb"; })
diff --git a/dk/single_uefi_btrfs.nix b/dk/single_uefi_btrfs.nix
index 979f3c7..965cc5b 100644
--- a/dk/single_uefi_btrfs.nix
+++ b/dk/single_uefi_btrfs.nix
@@ -1,4 +1,4 @@
-{ id, name, ... }:
+{ id, name, passwordFile ? "/should_not_be_needed_in_this_context", ... }:
 {
   disko.devices = {
     disk = {
@@ -26,7 +26,7 @@
               content = {
                 type = "luks";
                 name = "${name}";
-                passwordFile = "/tmp/secret.key"; # FIXME Generate this somehow
+                passwordFile = passwordFile;
                 settings = {
                   # Not having SSDs die fast is more important than crypto
                   # nerds that could potentially discover which filesystem I
diff --git a/install_os.sh b/install_os.sh
index 8b642f6..eb41b84 100755
--- a/install_os.sh
+++ b/install_os.sh
@@ -64,6 +64,7 @@ fi
 
 mountpoint="/mnt/nixos"
 nix_flakes_cmd="nix --extra-experimental-features nix-command --extra-experimental-features flakes"
+luks_pass_path="luks/$(basename ${profile})"
 
 set -x
 
@@ -73,8 +74,15 @@ sudo mkdir -p "$mountpoint"
 # Not great, but fixable with flakes I guess
 sudo ./add_channels.sh
 
+# Load encryption password
+luks_pass_file="$(mktemp --suffix="luks_password")"
+pass $luks_pass_path | head -n1 | tr -d '\n' > $luks_pass_file
+
 # Format or mount disk
-sudo $nix_flakes_cmd run github:nix-community/disko -- --root-mountpoint "$mountpoint" --mode "$disko_mode" "$disko_config"
+sudo $nix_flakes_cmd run github:nix-community/disko -- --root-mountpoint "$mountpoint" --mode "$disko_mode" --argstr passwordFile "$luks_pass_file" "$disko_config"
+
+# Unload encryption password
+rm "$luks_pass_file"
 
 # Generate hardware-config.nix
 sudo nixos-generate-config --no-filesystems --root "$mountpoint"
diff --git a/pindakaas_sd/dk.nix b/pindakaas_sd/dk.nix
index f3b4eae..70de3ae 100644
--- a/pindakaas_sd/dk.nix
+++ b/pindakaas_sd/dk.nix
@@ -1 +1,2 @@
-import ../dk/single_uefi_btrfs.nix { id = "mmc-SN32G_0xfb19ae99"; name = "pindakaas_sd"; }
+{ ... } @ args:
+import ../dk/single_uefi_btrfs.nix (args // { id = "mmc-SN32G_0xfb19ae99"; name = "pindakaas_sd"; })