diff --git a/modules/server-age-secrets.nix b/modules/server-age-secrets.nix
index 0f09962..3cb5c09 100644
--- a/modules/server-age-secrets.nix
+++ b/modules/server-age-secrets.nix
@@ -217,5 +217,15 @@
       owner = "firefly-iii-data-importer";
       group = "caddy";
     };
+
+    # LiveKit + lk-jwt-service shared signing keys (`<keyname>: <secret>` per
+    # nixpkgs services.livekit.keyFile docs). systemd reads via LoadCredential
+    # before dropping privileges, so root-only is correct for both consumers.
+    livekit-keys = {
+      file = ../secrets/server/livekit-keys.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 1b3cfb5..84d796b 100644
Binary files a/secrets/secrets.nix and b/secrets/secrets.nix differ
diff --git a/secrets/server/livekit-keys.age b/secrets/server/livekit-keys.age
new file mode 100644
index 0000000..7d52ce5
Binary files /dev/null and b/secrets/server/livekit-keys.age differ
diff --git a/secrets/server/livekit_keys b/secrets/server/livekit_keys
deleted file mode 100644
index 0d894e9..0000000
Binary files a/secrets/server/livekit_keys and /dev/null differ
diff --git a/services/matrix/livekit.nix b/services/matrix/livekit.nix
index 99a5208..cdbb310 100644
--- a/services/matrix/livekit.nix
+++ b/services/matrix/livekit.nix
@@ -1,14 +1,12 @@
 {
+  config,
   service_configs,
   ...
 }:
-let
-  keyFile = ../../secrets/server/livekit_keys;
-in
 {
   services.livekit = {
     enable = true;
-    inherit keyFile;
+    keyFile = config.age.secrets.livekit-keys.path;
     openFirewall = true;
 
     settings = {
@@ -34,7 +32,7 @@ in
 
   services.lk-jwt-service = {
     enable = true;
-    inherit keyFile;
+    keyFile = config.age.secrets.livekit-keys.path;
     livekitUrl = "wss://${service_configs.livekit.domain}";
     port = service_configs.ports.private.lk_jwt.port;
   };