diff --git a/morph/grid.config.json b/morph/grid.config.json
index 71d0fcd9aac658364700aa2cfbb3533d184a5f8d..178f44d39e5dd88ef709f92713d579c2cd32caff 100644
--- a/morph/grid.config.json
+++ b/morph/grid.config.json
@@ -1,2 +1,3 @@
 { "publicStoragePort": 8898
+, "ristrettoSigningKeyPath": "../../PrivateStorageSecrets/ristretto.signing-key"
 }
diff --git a/morph/storage000.nix b/morph/storage000.nix
index 540229b5376d309c144cf95db62fd059e293421c..cd2b6c1fbb057852ee924fe7efe41973d3b9dfc6 100644
--- a/morph/storage000.nix
+++ b/morph/storage000.nix
@@ -5,7 +5,23 @@ in
 # Define the function that defines the node.  Accept the public storage server
 # port argument so we can configure Tahoe-LAFS with it.  Accept but ignore any
 # other arguments.
-{ publicStoragePort, ... }: {
+{ publicStoragePort, ristrettoSigningKeyPath, ... }: rec {
+
+  deployment = {
+    secrets = {
+      "ristretto-signing-key" = {
+        source = ristrettoSigningKeyPath;
+        destination = "/var/secrets/ristretto.signing-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        # Service name here matches the name defined by our tahoe-lafs nixos
+        # module.  It would be nice to not have to hard-code it here.  Can we
+        # extract it from the tahoe-lafs nixos module somehow?
+        action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
+      };
+    };
+  };
 
   # Any extra NixOS modules to load on this server.
   imports = [
@@ -34,6 +50,8 @@ in
     inherit (cfg) publicIPv4;
     # And the port to operate on is specified via parameter.
     inherit publicStoragePort;
+    # Give it the Ristretto signing key, too, to support authorization.
+    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
   };
 
   # This value determines the NixOS release with which your system is to be
diff --git a/morph/testing-grid.nix b/morph/testing-grid.nix
index c58cefa4de516178c6619a26228cfd53473443a0..5591827e3e02423abeeb31123c383bd42dfdf1c5 100644
--- a/morph/testing-grid.nix
+++ b/morph/testing-grid.nix
@@ -4,12 +4,8 @@
 import ./make-grid.nix {
   name = "Testing";
   nodes = cfg: {
-    "testing000" = import ./testing000.nix {
-      publicIPv4 = "3.123.26.90";
-      # Pass along some of the Tahoe-LAFS configuration.  If we have much more
-      # configuration than this we may want to keep it bundled up in one value
-      # instead of pulling individual values out to pass along.
-      inherit (cfg) publicStoragePort;
-    };
+    "testing000" = import ./testing000.nix (cfg // {
+      publicIPv4 = "35.157.216.200";
+    });
   };
 }
diff --git a/morph/testing000.nix b/morph/testing000.nix
index 3a5bd414ce7a2dbe8ed9ae751a34203affbaadd3..e5f9c3f32bf4c75fea438a309a92c372f44f8ff8 100644
--- a/morph/testing000.nix
+++ b/morph/testing000.nix
@@ -1,5 +1,22 @@
-{ publicIPv4, publicStoragePort }:
-{ imports = [
+{ publicIPv4, publicStoragePort, ristrettoSigningKeyPath }: rec {
+
+  deployment = {
+    secrets = {
+      "ristretto-signing-key" = {
+        source = ristrettoSigningKeyPath;
+        destination = "/var/secrets/ristretto.signing-key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        # Service name here matches the name defined by our tahoe-lafs nixos
+        # module.  It would be nice to not have to hard-code it here.  Can we
+        # extract it from the tahoe-lafs nixos module somehow?
+        action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
+      };
+    };
+  };
+
+  imports = [
     ./testing000-hardware.nix
     ../nixos/modules/private-storage.nix
   ];
@@ -8,5 +25,6 @@
   { enable = true;
     inherit publicIPv4;
     inherit publicStoragePort;
+    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
   };
 }