diff --git a/.sops.yaml b/.sops.yaml
index 9593357..c4ccad3 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,7 +3,25 @@ keys:
   - &laptop age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q
   - &android age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74
 creation_rules:
-  - path_regex: system/secrets.yaml$
+  - path_regex: features/secrets.yaml$
+    key_groups:
+    - age:
+      - *laptop
+      - *homebox
+      - *android
+  - path_regex: iso/secrets.yaml$
+    key_groups:
+    - age:
+      - *laptop
+      - *homebox
+      - *android
+  - path_regex: live/secrets.yaml$
+    key_groups:
+    - age:
+      - *laptop
+      - *homebox
+      - *android
+  - path_regex: container/secrets.yaml$
     key_groups:
     - age:
       - *laptop
diff --git a/modules/hosts/iso/configuration.nix b/modules/hosts/iso/configuration.nix
index 729ae54..679e6c9 100644
--- a/modules/hosts/iso/configuration.nix
+++ b/modules/hosts/iso/configuration.nix
@@ -37,6 +37,8 @@
                 ];
             };
 
+            sops.defaultSopsFile = ./secrets.yaml;
+
             users.users.nixos.enable = lib.mkForce false;
 
             networking = {
diff --git a/modules/hosts/iso/secrets.yaml b/modules/hosts/iso/secrets.yaml
new file mode 100644
index 0000000..e18d6b8
--- /dev/null
+++ b/modules/hosts/iso/secrets.yaml
@@ -0,0 +1,17 @@
+nathan:
+    pass: ENC[AES256_GCM,data:0hmcbyTLbmadTAMoSeOgBmpqgtCKtfrY1EIxIUoxgo+3297+jZqcsSmhPlFKtbornezm+7uPRzaVRHyp2G0Ee6mG4FbzUfGYFg==,iv:F2aTS/BPPxTemu4vEy9H0FY0HUEBWaRFeaoMr8TJbmA=,tag:Ai90KJluCimR6OG5BtCnVQ==,type:str]
+sops:
+    age:
+        - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cUF3YWY2STgwc1pzREJP
+            QndUajV6WUJFZEdtOGNOQ05Ua1hGM25IbzJJCjF3Z24rc0JwMSt5bnpIVDZ0ZGJG
+            ZE9LdEU3bXhsMUxEL0hlMTNTc0VkR0kKLS0tIHhWOGJocS94eWJUSXdtaldJSG50
+            TjZCN3RneGtJa0hLNU1yTUlLMDJpcEUKNvpcKkNXeRyFsn0CRjSKNb89l1864I6A
+            Yzijw0c0BVfivhn2wAyq0fYuw2rT+vIJdFUHvIgxkpkZFl4n/RucOQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-31T19:51:15Z"
+    mac: ENC[AES256_GCM,data:L4SK7iaPX3dPJTyl2RgSuqMcoFRm8q9k64TsroV3tT1uWn0J9XRBj9KXgGj/qLloQkgmZsmtct8w2x5tYYosh5k1+056/DeTD8l/Nw5339qKJppRjg6jYNtw02ZGPSNFQdmGNQU9NOOuT8Q94sl0mphwlYhFV1Tf1r/AoSg1ja8=,iv:/qEVdxOR8CDJ2plE8Ez9ML+u+lKPmsNfV0GyXgBbQRk=,tag:EyjdJzvuHXn+0+5hOk0dVg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2