diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 51046b436e297cdc5034134e3503556e8030588c..2c30f075f8c717bb16ae30673836704d107e5205 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -9,15 +9,15 @@ rec {
     secrets = {
       "ristretto-signing-key" = {
         destination = "/run/keys/ristretto.signing-key";
-        owner.user = "root";
-        owner.group = "root";
+        owner.user = "zkapissuer";
+        owner.group = "zkapissuer";
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
       "stripe-secret-key" = {
         destination = "/run/keys/stripe.secret-key";
-        owner.user = "root";
-        owner.group = "root";
+        owner.user = "zkapissuer";
+        owner.group = "zkapissuer";
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 10de198467dce9d831b2eb40f89a60cfbf0d1298..f28bec2d3aa135ec78e1a8b29568aada69a5344d 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -155,6 +155,13 @@ in {
       serviceConfig.Restart = "always";
       serviceConfig.Type = "simple";
 
+      # Run w/o privileges
+      serviceConfig = {
+        DynamicUser = false;
+        User = "zkapissuer";
+        Group = "zkapissuer";
+      };
+
       script =
         let
           # Compute the right command line arguments to pass to it.  The
@@ -182,6 +189,20 @@ in {
           "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpArgs} ${stripeArgs}";
     };
 
+    # PaymentServer runs as this user and group by default
+    # Mind the comments in nixpkgs/nixos/modules/misc/ids.nix: "When adding a uid,
+    # make sure it doesn't match an existing gid. And don't use uids above 399!"
+    ids.uids.zkapissuer = 397;
+    ids.gids.zkapissuer = 397;
+    users.extraGroups.zkapissuer.gid = config.ids.gids.zkapissuer;
+    users.extraUsers.zkapissuer = {
+      uid = config.ids.uids.zkapissuer;
+      isNormalUser = false;
+      group = "zkapissuer";
+      # Let PaymentServer read from keys, if necessary.
+      extraGroups = [ "keys" ];
+    };
+
     # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
     networking.firewall.allowedTCPPorts = [
       80