diff --git a/modules/desktop-age-secrets.nix b/modules/desktop-age-secrets.nix
index c54bc76..dec1391 100644
--- a/modules/desktop-age-secrets.nix
+++ b/modules/desktop-age-secrets.nix
@@ -66,5 +66,15 @@ in
       group = "root";
     };
 
+    # Master password for oo7-daemon's 'Login' keyring; the unit consumes it
+    # via systemd's ImportCredential machinery (see desktop-oo7-daemon.nix).
+    # Owner is `primary` so the user-scope systemd unit can LoadCredential it.
+    oo7-keyring-password = {
+      file = ../secrets/desktop/oo7-keyring-password.age;
+      mode = "0400";
+      owner = "primary";
+      group = "users";
+    };
+
   };
 }
diff --git a/modules/desktop-oo7-daemon.nix b/modules/desktop-oo7-daemon.nix
index f5c44c3..90d42a9 100644
--- a/modules/desktop-oo7-daemon.nix
+++ b/modules/desktop-oo7-daemon.nix
@@ -31,5 +31,14 @@
   systemd.user.services.oo7-daemon = {
     wantedBy = [ "default.target" ];
     aliases = [ "dbus-org.freedesktop.secrets.service" ];
+    # Feed the keyring master password through systemd's credential
+    # machinery. The upstream unit declares
+    # `ImportCredential=oo7.keyring-encryption-password`, which picks up
+    # whatever LoadCredential leaves under $CREDENTIALS_DIRECTORY. agenix
+    # decrypts the secret to /run/agenix/oo7-keyring-password as the
+    # `primary` user, who is also the user this user-scope unit runs as.
+    serviceConfig.LoadCredential = [
+      "oo7.keyring-encryption-password:/run/agenix/oo7-keyring-password"
+    ];
   };
 }
diff --git a/secrets/desktop/oo7-keyring-password.age b/secrets/desktop/oo7-keyring-password.age
new file mode 100644
index 0000000..1347efd
Binary files /dev/null and b/secrets/desktop/oo7-keyring-password.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2eec575..886c5e2 100644
Binary files a/secrets/secrets.nix and b/secrets/secrets.nix differ