diff --git a/presets/nixos/normal-encrypted-drive.nix b/presets/nixos/normal-encrypted-drive.nix
index 2f5adfc..aadc20e 100644
--- a/presets/nixos/normal-encrypted-drive.nix
+++ b/presets/nixos/normal-encrypted-drive.nix
@@ -20,6 +20,7 @@ in {
       "cryptd"
     ];
     initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+      mkdir -m 0755 -p /keys
       mkdir -m 0755 -p ${usb_data.mountpoint}
 
       while !(test -b ${usb_data.encrypted_path})
@@ -33,12 +34,18 @@ in {
       cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
 
       mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
+
+      cp ${usb_data.encryption_keys_path}/${config.networking.hostName}.key /keys
+
+      umount -f ${usb_data.mountpoint}
+
+      cryptsetup close ${usb_data.mapper_name}
     '';
 
     initrd.luks.devices = {
       "${drive_data.root_mapper_name}" = {
         device = "${drive_data.encrypted_root_path}";
-        keyFile = "${usb_data.encryption_keys_path}/${config.networking.hostName}.key";
+        keyFile = "/keys/${config.networking.hostName}.key";
         preLVM = false;
         allowDiscards = true;
       };
diff --git a/profiles/usb-automount.nix b/profiles/usb-automount.nix
index e81c5f5..5d21eef 100644
--- a/profiles/usb-automount.nix
+++ b/profiles/usb-automount.nix
@@ -1,39 +1,38 @@
 {pkgs, ...}: let
   usb_data = import ../data/usb_data.nix {};
-  mapper_name = "usb_unencrypted_afterboot";
-  mapper_path = "/dev/mapper/${mapper_name}";
-  mount_usb = pkgs.writeShellScriptBin "mount_usb" ''
-    umount ${usb_data.mountpoint} || true
-    cryptsetup close ${mapper_name} || true
-
-    cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} -
-    mount ${mapper_path} -o rw ${usb_data.mountpoint}
+  enc_usb_mount = pkgs.writeShellScriptBin "enc_usb_mount" ''
+    set -x
+    ${enc_usb_unmount}/bin/enc_usb_unmount
+    cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}_afterboot -
+    mount ${usb_data.mapper_path}_afterboot -o rw ${usb_data.mountpoint}
   '';
-  unmount_usb = pkgs.writeShellScriptBin "unmount_usb" ''
+  enc_usb_unmount = pkgs.writeShellScriptBin "enc_usb_unmount" ''
+    set -x
     umount -flR ${usb_data.mountpoint} || true
-    cryptsetup close ${mapper_name} || true
+    cryptsetup close ${usb_data.mapper_name}_afterboot || true
   '';
 in {
-  environment.systemPackages = [mount_usb unmount_usb];
+  environment.systemPackages = [enc_usb_mount enc_usb_unmount];
 
   systemd.tmpfiles.rules = ["d ${usb_data.mountpoint} - chaos root"];
 
-  systemd.services.usb-mount = {
+  systemd.services.enc-usb-mount = {
     path = [pkgs.util-linux pkgs.cryptsetup];
+    wantedBy = ["multi-user.target"];
     script = ''
-      ${mount_usb}/bin/mount_usb
+      ${enc_usb_mount}/bin/enc_usb_mount
     '';
   };
 
-  systemd.services.usb-unmount = {
+  systemd.services.enc-usb-unmount = {
     path = [pkgs.util-linux pkgs.cryptsetup];
     script = ''
-      ${unmount_usb}/bin/unmount_usb
+      ${enc_usb_unmount}/bin/enc_usb_unmount
     '';
   };
 
   services.udev.extraRules = ''
-    ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
-    ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service"
+    ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="enc-usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
+    ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="enc-usb-unmount.service"
   '';
 }