diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 7510b6b82e8b298387394e5ff8082445a2fe18e7..e8a6333c19a742917b930164c26f43ac791c0d6d 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -8,14 +8,14 @@
 , stateVersion
 , publicIPv4
 , ...
-}: {
+}: rec {
   deployment = {
     targetHost = publicIPv4;
 
     secrets = {
       "ristretto-signing-key" = {
         source = ristrettoSigningKeyPath;
-        destination = "/var/secrets/ristretto.signing-key";
+        destination = "/run/keys/ristretto.signing-key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -23,7 +23,7 @@
       };
       "stripe-secret-key" = {
         source = stripeSecretKeyPath;
-        destination = "/var/secrets/stripe.secret-key";
+        destination = "/run/keys/stripe.secret-key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
@@ -41,8 +41,8 @@
   services.private-storage-issuer = {
     enable = true;
     tls = true;
-    ristrettoSigningKeyPath = "/var/secrets/ristretto.signing-key";
-    stripeSecretKeyPath = "/var/secrets/stripe.secret-key";
+    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
+    stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
     database = "SQLite3";
     databasePath = "/var/db/vouchers.sqlite3";
     inherit letsEncryptAdminEmail;
diff --git a/morph/lib/make-storage.nix b/morph/lib/make-storage.nix
index c286106a18caca4a575305f0fa897aedaac60c55..af0867c8b8342e31393f19a76a7cbfc4c95f86c9 100644
--- a/morph/lib/make-storage.nix
+++ b/morph/lib/make-storage.nix
@@ -19,7 +19,7 @@
     secrets = {
       "ristretto-signing-key" = {
         source = ristrettoSigningKeyPath;
-        destination = "/var/secrets/ristretto.signing-key";
+        destination = "/run/keys/ristretto.signing-key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index ee1e2db49ba337578312866f737e216f961dc152..1c0e1305ce6b2b83851df03d6d5b019e01604b95 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -6,7 +6,7 @@
     secrets = {
       "ristretto-signing-key" = {
         source = ristrettoSigningKeyPath;
-        destination = "/var/secrets/ristretto.signing-key";
+        destination = "/run/keys/ristretto.signing-key";
         owner.user = "root";
         owner.group = "root";
         permissions = "0400";