diff --git a/modules/base/network/wireguard.nix b/modules/base/network/wireguard.nix
index 2951a40f..9ad3e5be 100644
--- a/modules/base/network/wireguard.nix
+++ b/modules/base/network/wireguard.nix
@@ -141,13 +141,19 @@ in
           description = "UDP tunnel over TCP for wireguard";
           wantedBy = [ "multi-user.target" ];
           after = [ "network.target" ];
-          script = "${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 -k 'secret'";
+          script = ''
+           ${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 \
+             -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})"
+          '';
         };
         udp2raw-client = lib.mkIf config.chvp.base.network.wireguard.onCorporate {
           description = "UDP tunnel over TCP for wireguard";
           wantedBy = [ "multi-user.target" ];
           after = [ "network.target" ];
-          script = "${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 -k 'secret'";
+          script = ''
+            ${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 \
+              -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})"
+          '';
         };
       };
     };
@@ -159,5 +165,6 @@ in
       file = ../../../secrets/files/wireguard + "/${config.networking.hostName}.privkey.age";
       owner = "systemd-network";
     };
+    age.secrets."files/wireguard/udp2raw".file = ../../../secrets/files/wireguard/udp2raw.age;
   };
 }
diff --git a/secrets.nix b/secrets.nix
index d13204d9..39d27611 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -86,6 +86,7 @@ in
   "secrets/files/wireguard/lasting-integrity.privkey.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/files/wireguard/urithiru.privkey.age".publicKeys = [ urithiru ] ++ users;
   "secrets/files/wireguard/psk.age".publicKeys = hosts ++ users;
+  "secrets/files/wireguard/udp2raw.age".publicKeys = hosts ++ users;
 
   "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users;
diff --git a/secrets/files/wireguard/udp2raw.age b/secrets/files/wireguard/udp2raw.age
new file mode 100644
index 00000000..c5dba8bf
Binary files /dev/null and b/secrets/files/wireguard/udp2raw.age differ