diff --git a/secrets.nix b/secrets.nix
index 7bfd8a7..24c992a 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -5,6 +5,7 @@ let
 
   secrets = with keys; {
     hydra-s3-credentials = [ machines.bagel-box ];
+    hydra-signing-priv = [ machines.bagel-box ];
     hydra-ssh-key-priv = [ machines.bagel-box ];
     netbox-environment = [ machines.meta01 ];
     mimir-environment = [ machines.meta01 ];
diff --git a/secrets/hydra-signing-priv.age b/secrets/hydra-signing-priv.age
new file mode 100644
index 0000000..23cd618
Binary files /dev/null and b/secrets/hydra-signing-priv.age differ
diff --git a/services/hydra/default.nix b/services/hydra/default.nix
index 6c9a37d..29e5508 100644
--- a/services/hydra/default.nix
+++ b/services/hydra/default.nix
@@ -48,6 +48,9 @@ in {
 
     age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
 
+    age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
+    age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
+
     age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
     age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
 
@@ -90,7 +93,7 @@ in {
           endpoint = "s3.delroth.net";
           region = "garage";
 
-          #secret-key = "TODO";
+          secret-key = config.age.secrets.hydra-signing-priv.path;
 
           compression = "zstd";
           log-compression = "br";