diff --git a/machines/porthos/services.nix b/machines/porthos/services.nix
index bd92b14..84f4d2f 100644
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@@ -103,7 +103,9 @@ in
       # Insecure, I don't care
       passwordFile =
         builtins.toFile "paperless.env" my.secrets.paperless.password;
-      secretKey = my.secrets.paperless.secretKey;
+      secretKeyFile = builtins.toFile "paperless-key.env" ''
+        PAPERLESS_SECRET_KEY=${my.secrets.paperless.secretKey}
+      '';
     };
     # The whole *arr software suite
     pirate.enable = true;
diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix
index 0e29325..2f688ec 100644
--- a/modules/services/paperless.nix
+++ b/modules/services/paperless.nix
@@ -13,10 +13,12 @@ in
       description = "Internal port for webui";
     };
 
-    secretKey = mkOption {
+    secretKeyFile = mkOption {
       type = types.str;
-      example = "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee";
-      description = "Secret key used for sessions tokens";
+      example = "/var/lib/paperless/secret-key.env";
+      description = ''
+        Secret key as an 'EnvironmentFile' (see `systemd.exec(5)`)
+      '';
     };
 
     documentPath = mkOption {
@@ -65,7 +67,6 @@ in
           PAPERLESS_DBNAME = "paperless";
 
           # Security settings
-          PAPERLESS_SECRET_KEY = cfg.secretKey; # Insecure, I don't care
           PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
           PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
 
@@ -81,6 +82,20 @@ in
       passwordFile = cfg.passwordFile;
     };
 
+    systemd.services = {
+      paperless-ng-server.serviceConfig = {
+        EnvironmentFile = cfg.secretKeyFile;
+      };
+
+      paperless-ng-consumer.serviceConfig = {
+        EnvironmentFile = cfg.secretKeyFile;
+      };
+
+      paperless-ng-web.serviceConfig = {
+        EnvironmentFile = cfg.secretKeyFile;
+      };
+    };
+
     # Set-up database
     services.postgresql = {
       enable = true;