diff --git a/modules/server/vaultwarden/default.nix b/modules/server/vaultwarden/default.nix
index eb956a93..2a56031a 100644
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -13,6 +13,13 @@ in {
   options = {
     server.vaultwarden.enable = mkEnableOption "Enables vaultwarden";
   };
+
+  age.secrets.vaultwarden-env = {
+    file = "${self}/secrets/vaultwarden-env.age";
+    owner = "vaultwarden";
+    mode = "400";
+  };
+
   config = mkIf cfg.enable {
     systemd.services.backup-vaultwarden.serviceConfig = {
       User = "root";
@@ -39,6 +46,7 @@ in {
     };
     services.vaultwarden = {
       enable = true;
+      environmentFile = config.age.secrets.vaultwarden-env.path;
 
       backupDir = "/var/backup/vaultwarden";
 
diff --git a/secrets/vaultwarden-env.age b/secrets/vaultwarden-env.age
index 99293ee3..c06d529b 100644
Binary files a/secrets/vaultwarden-env.age and b/secrets/vaultwarden-env.age differ