diff --git a/.github/workflows/build_image.yml b/.github/workflows/build_image.yml
index 8fc7797b..149f72d5 100644
--- a/.github/workflows/build_image.yml
+++ b/.github/workflows/build_image.yml
@@ -6,6 +6,7 @@ on:
   push:
     paths:
         - 'odysseus/Dockerfile'
+        - 'odysseus/docker_scripts/**'
 
 # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
 env:
@@ -46,7 +47,7 @@ jobs:
             ODY_TPU_ROOT_PASSWORD: ${{ secrets.ODY_TPU_ROOT_PASSWORD }}
             ODY_IROH_ROOT_PASSWORD: ${{ secrets.ODY_IROH_ROOT_PASSWORD }}
             MASTER_PASSWORD: ${{ secrets.ODY_MASTER_PASSWORD }}
-        run:  for i in ODY_AP_ROOT_PASSWORD  ODY_TPU_ROOT_PASSWORD ODY_IROH_ROOT_PASSWORD; do echo "$i=${!i}" >> SECRETS.env; done && gpg --batch --symmetric --passphrase "$MASTER_PASSWORD" --cipher-algo AES256 SECRETS.env
+        run:  for i in ODY_AP_ROOT_PASSWORD  ODY_TPU_ROOT_PASSWORD ODY_IROH_ROOT_PASSWORD; do echo "$i=${!i}" >> SECRETS.env; done && gpg --batch --symmetric --passphrase "$MASTER_PASSWORD" --no-symkey-cache --cipher-algo AES256 SECRETS.env
       # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
       # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
diff --git a/odysseus/Dockerfile b/odysseus/Dockerfile
index 5ed38e7a..b7ea190d 100644
--- a/odysseus/Dockerfile
+++ b/odysseus/Dockerfile
@@ -44,7 +44,4 @@ WORKDIR /home/odysseus/outputs/
 COPY ./docker_scripts /home/odysseus/scripts
 RUN echo "source /home/odysseus/scripts/setup_env.sh" >> ~/.bashrc
 
-# install password using wildcard so failures arent deadly
-COPY ./SECRETS.env.* /home/odysseus/
-
 ENTRYPOINT "/bin/bash"
diff --git a/odysseus/docker_scripts/load-secrets.sh b/odysseus/docker_scripts/load-secrets.sh
index cd93ca3c..8a8956b1 100755
--- a/odysseus/docker_scripts/load-secrets.sh
+++ b/odysseus/docker_scripts/load-secrets.sh
@@ -1,3 +1,4 @@
 #!/bin/bash
 
-eval "$(gpg -d --cipher-algo AES256 /home/odysseus/PASSWORDS.env.gpg)"
+# must be sourced for this to work
+eval "$(gpg -d --no-symkey-cache --cipher-algo AES256 /home/odysseus/SECRETS.env.gpg)"
diff --git a/odysseus/docker_scripts/setup_env.sh b/odysseus/docker_scripts/setup_env.sh
index 57294d88..976613ef 100755
--- a/odysseus/docker_scripts/setup_env.sh
+++ b/odysseus/docker_scripts/setup_env.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
                                                                                                                                       
 alias make-current="/home/odysseus/scripts/make-current.sh"
-alias load-secrets="/home/odysseus/scripts/load-secrets.sh"
+alias load-secrets="source /home/odysseus/scripts/load-secrets.sh"
 
 # for each defconfig make output subdirectory
 make -C /home/odysseus/build/buildroot O=/home/odysseus/outputs/tpu BR2_EXTERNAL=/home/odysseus/build/odysseus_tree raspberrypi4_64_tpu_defconfig