diff --git a/hosts/vps1/matrix.nix b/hosts/vps1/matrix.nix
index 610fc08..c0b970c 100644
--- a/hosts/vps1/matrix.nix
+++ b/hosts/vps1/matrix.nix
@@ -41,8 +41,6 @@ let
       allow = true;
       default = true;
       require = true;
-      pickle_key =
-        if (bridge == "mautrix-whatsapp") then "maunium.net/go/mautrix-whatsapp" else "mautrix.bridge.e2ee";
     };
     provisioning = {
       shared_secret = "disable";
@@ -71,6 +69,24 @@ in
     (inputs.nixpkgs-unstable + /nixos/modules/services/matrix/mautrix-whatsapp.nix)
   ];
 
+  age.secrets = {
+    mautrix-doublepuppet-registration = {
+      rekeyFile = ./secrets/mautrix-doublepuppet-registration.age;
+      mode = "0440";
+      group = "matrix-synapse";
+    };
+    mautrix-signal-env = {
+      rekeyFile = ./secrets/mautrix-signal-env.age;
+      mode = "0440";
+      group = "mautrix-signal";
+    };
+    mautrix-whatsapp-env = {
+      rekeyFile = ./secrets/mautrix-whatsapp-env.age;
+      mode = "0440";
+      group = "mautrix-whatsapp";
+    };
+  };
+
   networking.firewall.allowedTCPPorts = [
     8448 # Matrix federation
   ];
@@ -177,6 +193,9 @@ in
     enable = true;
     enableRegistrationScript = true;
     settings = {
+      app_service_config_files = [
+        config.age.secrets.mautrix-doublepuppet-registration.path
+      ];
       database.name = (if usePostgresql then "psycopg2" else "sqlite3");
       enable_metrics = false;
       enable_registration = false;
@@ -213,16 +232,25 @@ in
 
   services.mautrix-signal = lib.mkIf bridges.signal {
     enable = true;
-    settings = commonBridgeSettings "mautrix-signal";
+    environmentFile = config.age.secrets.mautrix-signal-env.path;
+    settings = lib.recursiveUpdate {
+      encryption = {
+        pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
+      };
+    } (commonBridgeSettings "mautrix-signal");
   };
 
   services.mautrix-whatsapp = lib.mkIf bridges.whatsapp {
     enable = true;
+    environmentFile = config.age.secrets.mautrix-whatsapp-env.path;
     settings = lib.recursiveUpdate {
       backfill = {
         enabled = true;
         max_initial_messags = 50;
       };
+      encryption = {
+        pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
+      };
       network = {
         mute_status_broadcast = true;
         history_sync = {
diff --git a/hosts/vps1/secrets/mautrix-doublepuppet-registration.age b/hosts/vps1/secrets/mautrix-doublepuppet-registration.age
new file mode 100644
index 0000000..34fd8eb
Binary files /dev/null and b/hosts/vps1/secrets/mautrix-doublepuppet-registration.age differ
diff --git a/hosts/vps1/secrets/mautrix-signal-env.age b/hosts/vps1/secrets/mautrix-signal-env.age
new file mode 100644
index 0000000..ecbb3c6
Binary files /dev/null and b/hosts/vps1/secrets/mautrix-signal-env.age differ
diff --git a/hosts/vps1/secrets/mautrix-whatsapp-env.age b/hosts/vps1/secrets/mautrix-whatsapp-env.age
new file mode 100644
index 0000000..8fd65dc
--- /dev/null
+++ b/hosts/vps1/secrets/mautrix-whatsapp-env.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA Aun1dGh6g8jvPV3vYn1oUoP+LjhV973flcjtVIqtdvHU
+ZJgOWsP2WeQEFImxZfWgv2p6JJax3Hc3BW7UQ455l5o
+-> ;2e%O0-grease Ct9^D x[W(+5% vo@!Dg~p ?,{
+LvLHWuzvEitBOTvXnva7wk7iSnlW7QO9
+--- EX0W81CgIg/olFdTbVgSOkPo43W81hzOyyUVwC4iNTI
+yY×ÛÅ;àdþê6#àq%G{Á]šQÞmv(L‚è‡ÓG_Æfæ~×Áò=
+ÞÄös ¥¡S‚òiU¥Ôû}³2¨¤æV·_óþrHÇn×S›	¤$é8‘ Oñ1‘|¼9'ßð#Åì{
+‡€ÍlUÇ7y[îMSÐFG!ëÄ¤—ôH³bþ‰]?àBC(¬j™™ŒsXê4
+ýû?ïIakPÄ9³J¡ü>þ´ŠhŸáÓyê·ßobù6D.T}hz>A¯[³ú«» ÆÈF%å>å®EÌ
\ No newline at end of file
diff --git a/secrets/rekeyed/vps1/28a626290761387828b9c64dc5d6762e-mautrix-whatsapp-env.age b/secrets/rekeyed/vps1/28a626290761387828b9c64dc5d6762e-mautrix-whatsapp-env.age
new file mode 100644
index 0000000..c698b5f
--- /dev/null
+++ b/secrets/rekeyed/vps1/28a626290761387828b9c64dc5d6762e-mautrix-whatsapp-env.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA /lISmmDOngpCBwSzDxvzEwuYzfF7+HvVx79t63wW30o
+doVKg72Ayle+ZaLY70mxOzQQQ9h1PbrIuqjTRhOQobs
+-> 31A;]V-grease tT@4m2=P
+UElYAFZWQ2JzWKFWanbljMj5JA3n7D0s
+--- 4p3W3tOSNKA0vMKKAIxGWYHjKXssvdalTwawCr0efpo
+ÇòU¥n[yô¼Â8'@ˆÂµ#Ü5(xÝig>ÔÜ± †u{¯Ý»­3€C\Ž´Ñv„A»À@}îîd¬®Œ’KCr˜Y{©Y#9q~÷Eæ
+:„ÄæáÛÖ“jH+uŒ{7_ÃÊ’´hµ¥_+4ûùöé'ŠÉÒ4}¡8=äÖGüd÷ûÎíŒ×´{òñ/löþtø¼¢?J"«\xO¾³:QásÙrG±šŸÃˆ§Ûò;Po h)û$R<…X@·\_?âC‚YÎ4på2¿ÔeR_†À|1×Ê(:ÅÕ¾Òö
\ No newline at end of file
diff --git a/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age b/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age
new file mode 100644
index 0000000..1c11323
--- /dev/null
+++ b/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA LfDvF0kXFmP4yGPz9A5uov9DbRfMeLniWQhgnYE3ZA0
+9GkGo/twG1cfOHZgRGAmAcfQlrgQ86QvgehbkleKyz0
+-> GEv|{-grease c)B+5+, \v$ piek
+hwIw75OzOhfdScMKrNZ5i+WWh5zcfMryQXdbz81yUkEjWm9P4UVOYee+zz4/PU+t
+6nEKEqvPf6RwBOzAlzx72Yi0l+onxh1CHOWRlfU
+--- dkZlSoaBUqLnMu25ocR0VwgPr190ZOmcMdxQ3KApFS0
+ƒþ<Ù²õŒ}M9Gdhœú’³0[ù¹ú¡²¯Ì®È¼ažjÅg–…¨:JÀ»Æ$:^èä€OÓeêø@÷žoé‡1
+¤r]I>†tü?°XãQÙ•Ù‰¡„A¯r)ab	§’”Ü$8e“ˆ½f¥ÅzÍ7ÓÜÁlf)Õ|jl“%öâ
+v-òá!ª‘•(ÕÙ.qR…ÚÙ*yŽÁ¿¿XªÙµÉi€ÎÌi	ä†Æê‘c=½ƒúeÐ„>/ôLsö½—4ò-.ó™èYq¤¸é‰¾âb|ðÖKßFc	(17Ê²™KI~>t4Áw	ípÝÈ¨IquÝši¾£œEÞ\Õ×‘AZ1`Zõ\ê¤¨ÄË²¯Mª©©UmÚß2z¿	ùìxãÒv(A«¢W6oÉ¶ùÇfÕ7Ç)e—™Ó5­ýîêR2/`äó•Ú\å
\ No newline at end of file
diff --git a/secrets/rekeyed/vps1/33aa80cdd327d566b3ad02189b6d105b-mautrix-signal-env.age b/secrets/rekeyed/vps1/33aa80cdd327d566b3ad02189b6d105b-mautrix-signal-env.age
new file mode 100644
index 0000000..8930742
Binary files /dev/null and b/secrets/rekeyed/vps1/33aa80cdd327d566b3ad02189b6d105b-mautrix-signal-env.age differ