diff --git a/machines/uninsane/services/duplicity.nix b/machines/uninsane/services/duplicity.nix
index 798e4863..f80b6e6d 100644
--- a/machines/uninsane/services/duplicity.nix
+++ b/machines/uninsane/services/duplicity.nix
@@ -6,7 +6,8 @@
   services.duplicity.targetUrl = secrets.duplicity.url;
   # format: PASSPHRASE=<cleartext>
   # two sisters
-  services.duplicity.secretFile = /etc/nixos/secrets/duplicity_env;
+  services.duplicity.secretFile =
+    builtins.toFile "duplicity_env" "PASSPHRASE=${secrets.duplicity.passphrase}";
   # NB: manually trigger with `systemctl start duplicity`
   services.duplicity.frequency = "daily";
   services.duplicity.exclude = [
diff --git a/secrets/default.nix b/secrets/default.nix
index c8d0eee6..5706f8a4 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -6,6 +6,8 @@
   #   ^ run this until you get a key with no forward slashes :upside_down:
   #   web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
   duplicity.url = "b2://<REPLACEME:KEY_ID>:<REPLACEME:APPKEY>:<REPLACEME:BUCKET>";
+  # remote backups will be encrypted using this (gpg) passphrase
+  duplicity.passphrase = "<REPLACEME>";
 
   # to generate:
   # wg genkey > wg0.private