diff --git a/.github/workflows/build_image.yml b/.github/workflows/build_image.yml
new file mode 100644
index 00000000..149f72d5
--- /dev/null
+++ b/.github/workflows/build_image.yml
@@ -0,0 +1,60 @@
+#
+name: Create and publish a Docker image
+
+# Configures this workflow to run every time a docker artificat is edited
+on:
+  push:
+    paths:
+        - 'odysseus/Dockerfile'
+        - 'odysseus/docker_scripts/**'
+
+# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+      # 
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          
+      - name: Encrypt and inject passwords
+        shell: bash
+        working-directory: ./odysseus
+        env:
+            ODY_AP_ROOT_PASSWORD: ${{ secrets.ODY_AP_ROOT_PASSWORD }}
+            ODY_TPU_ROOT_PASSWORD: ${{ secrets.ODY_TPU_ROOT_PASSWORD }}
+            ODY_IROH_ROOT_PASSWORD: ${{ secrets.ODY_IROH_ROOT_PASSWORD }}
+            MASTER_PASSWORD: ${{ secrets.ODY_MASTER_PASSWORD }}
+        run:  for i in ODY_AP_ROOT_PASSWORD  ODY_TPU_ROOT_PASSWORD ODY_IROH_ROOT_PASSWORD; do echo "$i=${!i}" >> SECRETS.env; done && gpg --batch --symmetric --passphrase "$MASTER_PASSWORD" --no-symkey-cache --cipher-algo AES256 SECRETS.env
+      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
+      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
+      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+      - name: Build and push Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: ./odysseus
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.gitignore b/.gitignore
index 7a05c46b..9fe16b20 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,9 @@
 
 .DS_Store
 odysseus/outputs/**
+
+# for passwords
+odysseus/SECRETS.env
+odysseus/SECRETS.env-example
+# redundant safeguard for all env files named SECRETS.env in case it is renamed wrong
+**/*SECRETS.env*
diff --git a/odysseus/Dockerfile b/odysseus/Dockerfile
index 9d39465b..b1cac4b6 100644
--- a/odysseus/Dockerfile
+++ b/odysseus/Dockerfile
@@ -41,8 +41,12 @@ WORKDIR /home/odysseus/build
 
 RUN  git clone https://gitlab.com/buildroot.org/buildroot.git && cd ./buildroot && git checkout 2024.02
 
+
 WORKDIR /home/odysseus/outputs/
 COPY ./docker_scripts /home/odysseus/scripts
 RUN echo "source /home/odysseus/scripts/setup_env.sh" >> ~/.bashrc
 
+# install password using wildcard so failures arent deadly
+COPY ./SECRETS.env.* /home/odysseus/
+
 ENTRYPOINT "/bin/bash"
diff --git a/odysseus/README.md b/odysseus/README.md
index d1cb51a4..213ceaa8 100644
--- a/odysseus/README.md
+++ b/odysseus/README.md
@@ -32,6 +32,11 @@ Download and install to PATH git and docker.
 git clone https://github.com/Northeastern-Electric-Racing/Siren.git
 git submodule update --init --recursive
 cd ./odysseus
+```
+At this point, copy the file `SECRETS.env-example` to `SECRETS.env`, if you want to use non-default passwords edit this file.
+
+Once that is done, run:
+```
 docker compose run --rm --build odysseus # Future launches can omit `--build` for time savings and space savings, but it should be used if the Dockerfile or docker_out_of_tree.sh files change.  
 ```
 Now you are in the docker container.  To build cd into the defconfig directory (either ap, or tpu), then run the make command alias:
@@ -84,6 +89,15 @@ Notes about docker:
 - Launch time is longer
 - Space is used up by rebuilds, prune often or omit `--build`
 
+### Passwords
+Root passwords are stored via Github secrets and an encrypted file within a ghcr docker image.  Below are the steps to load and decrypt such passwords for use by buildroot.  Requirements are you know the team's master password and are running x86_64.
+
+1. Authenticate with ghcr.  First make a [classic PAT](https://github.com/settings/tokens/new) with the permission `read:packages`.  Make sure to copy the token, then run `sudo docker login ghcr.io -u <GITHUB_USERNAME> -p <PAT>`
+2. cd into odysseus folder and `docker compose pull`
+3. Run `docker compose run odysseus` to enter the docker image.  At this point the image should be identical to a locally built one, but it is less preferable for development purposes.
+4. Run `load-secrets` and enter the master password.  Consult Odysseus lead if you need this info.  Now your passwords are loaded (can be viewed with `env | grep ODY`), and will be set when you make the sdcard.img.  Note this step must be repeated on each `docker compose run odysseus`, and if the passwords change on Github steps 2 and 3 must be rerun as well.
+
+
 
 See below to learn more about developing, and check confluence for most info.  Once in the docker image, all the normal make commands (in an out-of-tree context only) apply.
 
diff --git a/odysseus/compose.yml b/odysseus/compose.yml
index 76dfd2bb..4ccccc50 100644
--- a/odysseus/compose.yml
+++ b/odysseus/compose.yml
@@ -2,9 +2,11 @@ version: "3.8"
 services:
     odysseus:
         build: .
+        image: ghcr.io/northeastern-electric-racing/odysseus:52-root-secrets
         command: /bin/bash
         privileged: true
         tty: true
+        stdin_open: true
         # for fakeroot failure
         ulimits:
           nofile:
@@ -17,7 +19,14 @@ services:
         environment:
             - BR2_DL_DIR=/home/odysseus/shared_data/dl 
             - BR2_CCACHE_DIR=/home/odysseus/shared_data/ccache
+            - ODY_TPU_ROOT_PASSWORD=password
+            - ODY_IROH_ROOT_PASSWORD=password
+            - ODY_AP_ROOT_PASSWORD=password
+
 volumes:
     shared_data:
         labels:
             com.northeastern_electric_racing.description: "Shared output between buildroot runs"
+
+
+            
diff --git a/odysseus/docker_scripts/load-secrets.sh b/odysseus/docker_scripts/load-secrets.sh
new file mode 100755
index 00000000..8a8956b1
--- /dev/null
+++ b/odysseus/docker_scripts/load-secrets.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# must be sourced for this to work
+eval "$(gpg -d --no-symkey-cache --cipher-algo AES256 /home/odysseus/SECRETS.env.gpg)"
diff --git a/odysseus/docker_scripts/setup_env.sh b/odysseus/docker_scripts/setup_env.sh
index d768b088..f56fc71f 100755
--- a/odysseus/docker_scripts/setup_env.sh
+++ b/odysseus/docker_scripts/setup_env.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
                                                                                                                                       
 alias make-current="/home/odysseus/scripts/make-current.sh"
+alias load-secrets="source /home/odysseus/scripts/load-secrets.sh"
 
-# for each defconfig make output subdirectory
+# for each defconfig make output subdirectory 
 make -C /home/odysseus/build/buildroot O=/home/odysseus/outputs/tpu BR2_EXTERNAL=/home/odysseus/build/odysseus_tree raspberrypi4_64_tpu_defconfig
 make -C /home/odysseus/build/buildroot O=/home/odysseus/outputs/ap BR2_EXTERNAL=/home/odysseus/build/odysseus_tree raspberrypi3_64_ap_defconfig
 make -C /home/odysseus/build/buildroot O=/home/odysseus/outputs/iroh BR2_EXTERNAL=/home/odysseus/build/odysseus_tree raspberrypi3_64_iroh_defconfig
diff --git a/odysseus/odysseus_tree/configs/raspberrypi3_64_ap_defconfig b/odysseus/odysseus_tree/configs/raspberrypi3_64_ap_defconfig
index feace6f2..25b0dbf0 100644
--- a/odysseus/odysseus_tree/configs/raspberrypi3_64_ap_defconfig
+++ b/odysseus/odysseus_tree/configs/raspberrypi3_64_ap_defconfig
@@ -6,7 +6,7 @@ BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_ODY_TREE_PATH)/patches"
 BR2_PER_PACKAGE_DIRECTORIES=y
 BR2_TARGET_GENERIC_HOSTNAME="raspberrypi-ap"
 BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
-BR2_TARGET_GENERIC_ROOT_PASSWD="password"
+BR2_TARGET_GENERIC_ROOT_PASSWD="$(ODY_AP_ROOT_PASSWORD)"
 BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_common $(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_nrc_common $(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_ap"
 BR2_ROOTFS_PRE_BUILD_SCRIPT="$(BR2_EXTERNAL_ODY_TREE_PATH)/pre-make-ap.sh"
 BR2_ROOTFS_POST_BUILD_SCRIPT="board/raspberrypi3-64/post-build.sh"
diff --git a/odysseus/odysseus_tree/configs/raspberrypi3_64_iroh_defconfig b/odysseus/odysseus_tree/configs/raspberrypi3_64_iroh_defconfig
index dbaeb232..c71ddba4 100644
--- a/odysseus/odysseus_tree/configs/raspberrypi3_64_iroh_defconfig
+++ b/odysseus/odysseus_tree/configs/raspberrypi3_64_iroh_defconfig
@@ -6,7 +6,7 @@ BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_ODY_TREE_PATH)/patches"
 BR2_PER_PACKAGE_DIRECTORIES=y
 BR2_TARGET_GENERIC_HOSTNAME="raspberrypi-iroh"
 BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
-BR2_TARGET_GENERIC_ROOT_PASSWD="password"
+BR2_TARGET_GENERIC_ROOT_PASSWD="$(ODY_IROH_ROOT_PASSWORD)"
 BR2_TARGET_TZ_INFO=y
 BR2_TARGET_LOCALTIME="America/New_York"
 BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_iroh"
diff --git a/odysseus/odysseus_tree/configs/raspberrypi4_64_tpu_defconfig b/odysseus/odysseus_tree/configs/raspberrypi4_64_tpu_defconfig
index b2b481b5..7d8dddd2 100644
--- a/odysseus/odysseus_tree/configs/raspberrypi4_64_tpu_defconfig
+++ b/odysseus/odysseus_tree/configs/raspberrypi4_64_tpu_defconfig
@@ -7,7 +7,7 @@ BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_ODY_TREE_PATH)/patches"
 BR2_PER_PACKAGE_DIRECTORIES=y
 BR2_TARGET_GENERIC_HOSTNAME="raspberrypi-sta"
 BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
-BR2_TARGET_GENERIC_ROOT_PASSWD="password"
+BR2_TARGET_GENERIC_ROOT_PASSWD="$(ODY_TPU_ROOT_PASSWORD)"
 BR2_TARGET_TZ_INFO=y
 BR2_TARGET_LOCALTIME="America/New_York"
 BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_common $(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_nrc_common $(BR2_EXTERNAL_ODY_TREE_PATH)/overlays/rootfs_overlay_tpu"
diff --git a/odysseus/odysseus_tree/sources/Nero-2.0 b/odysseus/odysseus_tree/sources/Nero-2.0
index 9289c311..f93979d2 160000
--- a/odysseus/odysseus_tree/sources/Nero-2.0
+++ b/odysseus/odysseus_tree/sources/Nero-2.0
@@ -1 +1 @@
-Subproject commit 9289c3115f623829cecccb767196398ff0d03523
+Subproject commit f93979d2a255216e12798e5daad1b13485d27f9c