diff --git a/etcnixos/system-mreow.nix b/etcnixos/system-mreow.nix
index 5d00398..fecb706 100644
--- a/etcnixos/system-mreow.nix
+++ b/etcnixos/system-mreow.nix
@@ -65,7 +65,7 @@ in
     lanzaboote = {
       enable = true;
       # TODO: proper secrets management so this is not stored in nix store
-      pkiBundle = "${(untar { src = "${./secrets/secureboot.tar}"; })}";
+      pkiBundle = "/var/lib/sbctl";
     };
 
     # Bootloader.
@@ -80,6 +80,19 @@ in
     };
   };
 
+  system.activationScripts = {
+    # extract all my secureboot keys
+    "secureboot-keys".text = ''
+      #!/bin/sh
+      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+      mkdir -p ${config.boot.lanzaboote.pkiBundle}
+      ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
+      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+      chmod -R 700 ${config.boot.lanzaboote.pkiBundle}
+    '';
+  };
+
+
   programs.gamescope = {
     enable = true;
     capSysNice = true;