diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml
index 8734535..9fe7be0 100644
--- a/nixos/.sops.yaml
+++ b/nixos/.sops.yaml
@@ -3,6 +3,11 @@ keys:
   - &target_kevin-tp age17963wrexn2ahn0j39sg6h00wc7q7p4spt64yexg5tzk48x7vyv4sz47c0s
 creation_rules:
   - path_regex: kevin-tp/secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *admin_kevin
+      - *target_kevin-tp
+  - path_regex: shared/secrets/[^/]+\.yaml$
     key_groups:
     - age:
       - *admin_kevin
diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix
index 87bc56f..f33655c 100644
--- a/nixos/modules/users.nix
+++ b/nixos/modules/users.nix
@@ -1,10 +1,19 @@
 {
   imports = [ ./ssh.nix ];
 
+  sops.secrets.password_kevin = {
+    neededForUsers = true;
+    sopsFile = ../shared/secrets/passwords.yaml;
+  };
+
+
+  users.mutableUsers = false;
+
   users.users.kevin = {
     isNormalUser = true;
     description = "Kevin Kandlbinder";
     extraGroups = [ "wheel" "docker" "dialout" "networkmanager" "floppy" "audio" "lp" "cdrom" "tape" "video" "render" ]; 
+    passwordFile = config.sops.secrets.password-kevin.path;
   };
   
   kevin.ssh.authorized.kevin.users = ["kevin" "root"];
diff --git a/nixos/shared/secrets/passwords.yaml b/nixos/shared/secrets/passwords.yaml
new file mode 100644
index 0000000..c68a920
--- /dev/null
+++ b/nixos/shared/secrets/passwords.yaml
@@ -0,0 +1,30 @@
+password_kevin: ENC[AES256_GCM,data:I1v/s/sCqEDdh2tivcxJouWw1X0aXmVVbk5/3cEaJZ1HlOnKhe4mFJgMq4a1foBI6hHhAudjnuwJJwdNFjLnyYb/TOzoTtyXjLKNC3A4kgU+Nl1fDg1B3zFuR4YjcIo5/GV1LuCzJrbZPA==,iv:PcZJOuAY0drEZZSfNca8g4h29PSPAdO91DbxPLHdOek=,tag:QGoO4GqIxADHQsGShvEvdQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1tyq4g2hfuy7ffl8lycl3yj6saxyk56z4xlmtz7krlq7djx6l7f9snd56q6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y2FJS2JOUU42ek8wQThu
+            VWtHRWNMcXB0dFpmTFJ2b1NiTjdkU3l3OHhVCm5hR1VHQURndEJGT1BiTUZFM1hH
+            dGdIcnV5L3pPOHhnZzFmZVM3OGp2dFEKLS0tIEM4L0x1aGxOV2dpUTdCYlFCOWhi
+            MExVTG12bFNXRHdXVThJZ1V2YlIrUlkKrhokMJmFimyuzg1vi/fiiP8XjtKGtxf8
+            5Usgxglk4o0ElsDryOfFdLJ6YJY78I3dyHzuXWhjbs8toTks/sGSkQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17963wrexn2ahn0j39sg6h00wc7q7p4spt64yexg5tzk48x7vyv4sz47c0s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKb2JBc2RRV3Fwa3RJb3Mx
+            WTlob3plakJBWEJGamNYYUpiclRmd2JySkdnCm9kNGZMQm53cSttNUhhV2xRenJR
+            OGV5RFV4M25MV0lPQ3BrTmxtQVVlV2MKLS0tIGFDelg2T2JCME9VS2lkYVE1d1lX
+            d3FDUFBaLzB4OWRQZkdTaFhJZUZiMGMK1CikqlTxoc2H6nXdWZJUhAy54S8I7yiw
+            8CzEU3K4s01Hnoj3vhQtXtxIqd2kIqilLlo6QVdb9cbFeMTsUOMqaw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-02-27T14:15:06Z"
+    mac: ENC[AES256_GCM,data:ROjkbNrmEn0Hj6KeDW2S8gZ47FherNpy7Lta493QWonfAvFEPdY2nJOa3sVs3maTVzDzmFGqJCLGAO/iyeQqjcdCWtQ/lDqz0MZkzXPLViCRzJrDqp3qBk8pflm8drfsVD+mdYDQ5Alg8ffg/S1F+o+jyKzd94no6pI/m6DJNOI=,iv:9XEMpQ4eO70C1CHrqzbmS8CJvRZtG1WEVd3gfv6DKT0=,tag:ewOuZv/EYXdr2iTaFx8Mag==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3