diff --git a/.sops.yaml b/.sops.yaml
index 02d589d..74d7ed4 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,6 +13,12 @@ creation_rules:
       - age:
           - *marisa
           - *flandre
+  - path_regex: secrets/common.*
+    key_groups:
+      - age:
+          - *marisa
+          - *flandre
+          - *reisen
   - path_regex: secrets/hosts/(opentofu/)?marisa-.*
     key_groups:
       - age:
diff --git a/nixos/profiles/users/root/default.nix b/nixos/profiles/users/root/default.nix
index cbf472d..9c1435b 100644
--- a/nixos/profiles/users/root/default.nix
+++ b/nixos/profiles/users/root/default.nix
@@ -1,9 +1,15 @@
-{ ... }:
+{ config, ... }:
 {
   users.users.root = {
+    hashedPasswordFile = config.sops.secrets."user-password/root".path;
     openssh.authorizedKeys.keyFiles = [
       ./_ssh/marisa-7d76
       ./_ssh/marisa-a7s
     ];
   };
+
+  sops.secrets."user-password/root" = {
+    neededForUsers = true;
+    sopsFile = config.sops.secretFiles.get "common.yaml";
+  };
 }
diff --git a/secrets/common.yaml b/secrets/common.yaml
new file mode 100644
index 0000000..c965529
--- /dev/null
+++ b/secrets/common.yaml
@@ -0,0 +1,40 @@
+user-password:
+  root: ENC[AES256_GCM,data:kRmWP8njGn+oMdV6PQSxeV9tdTrAGjcJGAYM522nxz5gtr6b0XDoTxmhrNLPDZqcI9l8Xhh8ER3OShZMzvVKcwXfpBgqcS4csQ==,iv:RlNTT7L5DRkQ2Nq7te4fUZYspmZYMEDK1UVzTVE5WPw=,tag:gVokqSdkfYNySo9+of5R8Q==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1sfnct03u4cvfj98x4yjrcrrnu5gg8qgxrwk4uqq8w4e6wveeaedq97rn44
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1K3h4aW1HU2FPZDFDSzc5
+        Ri8ycE5VR0ZpZ3R1QTlWY1VIZ1plazZoZVFJClcvcFV3ZE1lZ1ZnT1JacUYxV29B
+        dEtrZTNKdEZ6bTJ4VnVWb0REbDRRMXcKLS0tIHpMYWREWG4reWoreFYyMG95WEk0
+        ZkUray9HY3gwV3hmbEdIVVY1VElQVHcKWMYjkiqNVq8MMOxZ83kN1XL1Orlg78ww
+        QCoKw3xD25lStf5CIGOgHZBmtvhgnImj+7NiCz/Pa+LtUz0SQSp+/Q==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age166kxtrcx99fxlgtvz5mvyt5ctvk3dt09f42gvm94ngnkyztmmelsyzdn77
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVlcrN1dySmtCSWY5VTJa
+        WHFETXZoOGRIZWhOTGphK3gzUERxSkpKUGpjCjJTNE1EZFg1M2xPRU9XOGtqTzZj
+        S21HWmlGRGdMcHJBNzZwUW9aU3JsUlEKLS0tIGlxcWFqQ1psdWVabTFURVhsaUF2
+        bTVZdTRnVkhKa2x2T0lGUU9jaTFJcmcKtDjAosAhPWIPNfp2wsB7/2ADF051dTCA
+        PmPY15/snA+bT8Ihbt61lZ+8YoS8InnzoxZMPPwSZOSQEQ+ASH5HZw==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age1uf2h3hlv373ppdstjlngyuu7q5mee3u3ww3674lsj9rlt9ax7vqsv7wpe8
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVndwNlg3QzJaYWRQeldn
+        RW9LdXRIaEFtWVBWSnRXNW5pZzVzNHl5Sm5rClNhVU0xbjZmQXpqUEZYa0lmTG1a
+        THhOaUhrbFZxM2xnM1d4Yi9DNGVydWMKLS0tIHpMUVJHQ0NxSjQ1YWdOb1dGbW8v
+        SEtlY1ZoZEkrSU04VmRRTVYrTS9mbUEKt+7p4KMFFj9+4lRhRhUOFUl9EPljV8Co
+        HPaO9E3PrsUtnPObwzHUhIOdugOWCzhUSUklCI2k7u6TkCnzqTzTyg==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-12-12T11:23:56Z"
+  mac: ENC[AES256_GCM,data:ZiGNQCdn26oArPFDw5S8NFKgM/SPP5H0rPWWqqtrfDK3nE5zZ3txrZrF+8ZEUqs0WdV/P5FZm5WL/ek2LUD5OFCzwtbGnFkATeFqt+kr0vUZ5M0gUT+fiKQ49WuntviZng9S3iIH59/rgRwe+cOpakpWh4RgQkdKDTsthekv1Pw=,iv:vfwGjyIRppw6pXVLtmeMd6zbnht8fpLSZFHhu5F4swk=,tag:6T9dthM3uKDDQxFH+ieaRQ==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.1