diff --git a/morph/grid/production/config.json b/morph/grid/production/config.json
index 21e080d587ae2713a73f756b2b7e078d843b2a95..092e4dff7b4c026c816afdd85b2a454089204141 100644
--- a/morph/grid/production/config.json
+++ b/morph/grid/production/config.json
@@ -1,8 +1,7 @@
 { "domain": "private.storage"
 , "publicStoragePort": 8898
-, "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
-, "stripeSecretKeyPath": "./secrets/stripe.secret"
-, "monitoringvpnKeyDir": "./secrets/monitoringvpn"
+, "privateKeyPath": "./private-keys"
+, "publicKeyPath": "./public-keys"
 , "monitoringvpnEndpoint": "monitoring.private.storage:51820"
 , "passValue": 1000000
 , "issuerDomains": [
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index ae51174b4f15a72ca0c1d1798b067ecb1db64bb3..fb680338a08b0006e166b13066199d20f6836e44 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -5,10 +5,12 @@ let
   gridlib = import ../../lib;
   rawConfig = pkgs.lib.trivial.importJSON ./config.json;
   config = rawConfig // {
-    sshUsers = import ./secrets/users.nix;
+    sshUsers = import ./public-keys/users.nix;
 
-    # Get absolute vpn key directory path, as a string:
-    monitoringvpnKeyDir = toString ./. + "/${rawConfig.monitoringvpnKeyDir}";
+    # Convert relative paths to absolute so library code can resolve names
+    # correctly.
+    publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
+    privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
   };
 
   payments = {
@@ -27,7 +29,7 @@ let
       gridlib.hardware-aws
       (gridlib.customize-monitoring {
         inherit hostsMap vpnClientIPs nodeExporterTargets;
-        inherit (config) domain monitoringvpnKeyDir;
+        inherit (config) domain publicKeyPath privateKeyPath;
         monitoringvpnIPv4 = "172.23.23.1";
         stateVersion = "19.09";
       })