diff --git a/post.sh b/post.sh
index 6d014d11..7e20a46c 100644
--- a/post.sh
+++ b/post.sh
@@ -192,28 +192,29 @@ YES)
     doas cryptboot-efikeys create
     doas cryptboot-efikeys enroll
     doas cryptboot systemd-boot-sign
+    source "/etc/cryptboot.conf"
     doas sh -c "{
-        echo "uefi_secureboot_cert=\"/etc/secureboot/keys/db.crt\""
-        echo "uefi_secureboot_key=\"/etc/secureboot/keys/db.key\""
+        echo "uefi_secureboot_cert=\""$EFI_KEYS_DIR"/keys/db.crt\""
+        echo "uefi_secureboot_key=\""$EFI_KEYS_DIR"/keys/db.key\""
     } >/etc/dracut.conf.d/secureboot.conf"
     ;;
 *)
     {
         echo '#!/bin/bash'
         echo ''
-        echo 'EFI_KEYS_DIR="/etc/secureboot/keys"'
         echo 'source "/etc/cryptboot.conf"'
         echo 'read -rp "Have you transferred your keys to $EFI_KEYS_DIR? (Type '"'"'yes'"'"' in capital letters): " choice'
         echo 'case "$choice" in'
         echo 'YES)'
+        echo 'chmod 000 "$EFI_KEYS_DIR"/*'
         echo '    if mountpoint -q /efi; then'
         echo '        doas umount -AR /efi'
         echo '    fi'
         echo '    doas mount /efi'
         echo '    doas cryptboot systemd-boot-sign'
         echo '    doas sh -c "{'
-        echo '        echo "uefi_secureboot_cert=\"/etc/secureboot/keys/db.crt\""'
-        echo '        echo "uefi_secureboot_key=\"/etc/secureboot/keys/db.key\""'
+        echo '        echo "uefi_secureboot_cert=\""$EFI_KEYS_DIR"/db.crt\""'
+        echo '        echo "uefi_secureboot_key=\""$EFI_KEYS_DIR"/db.key\""'
         echo '    } >/etc/dracut.conf.d/secureboot.conf"'
         echo '    ;;'
         echo '*)'
@@ -222,10 +223,10 @@ YES)
         echo '    ;;'
         echo 'esac'
     } >~/secureboot.sh
+    mkdir -p "$EFI_KEYS_DIR"
+    chmod 700 "$EFI_KEYS_DIR"
     chmod 700 ~/secureboot.sh
     echo "WARNING: User aborted enrolling secureboot keys"
-    EFI_KEYS_DIR="/etc/secureboot/keys"
-    source "/etc/cryptboot.conf"
     echo "         Deploy your own keys in $EFI_KEYS_DIR and run ~/secureboot.sh to sign your bootloader"
     ;;
 esac
diff --git a/prepare.sh b/prepare.sh
index 35df775b..a442245b 100644
--- a/prepare.sh
+++ b/prepare.sh
@@ -176,22 +176,22 @@ OPTIONS1="nodev,noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvol=/@
 OPTIONS2="nodev,nosuid,noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvol=/@"
 OPTIONS3="noexec,nodev,nosuid,noatime,space_cache=v2,compress=zstd,ssd,discard=async,subvol=/@"
 mount_subs0() {
-    mkdir "/mnt$1"
+    mkdir -p "/mnt$1"
     mount -o "$3$2" "$4" "/mnt$1"
-    mkdir "/mnt$1.snapshots"
+    mkdir -p "/mnt$1.snapshots"
     mount -o "$OPTIONS3${2}_snapshots" "$4" "/mnt${SUBVOLUMES[$i]}.snapshots"
     mount_subs1 "$1" "$3" "$4"
 }
 mount_subs1() {
     for ((a = 0; a < SUBVOLUMES_LENGTH; a++)); do
         if [[ "${SUBVOLUMES[$a]}" != "$1" ]] && grep -nq "^$1" <<<"${SUBVOLUMES[$a]}"; then
-            mkdir "/mnt${SUBVOLUMES[$a]}"
+            mkdir -p "/mnt${SUBVOLUMES[$a]}"
             if grep -nq "^${1}lib/" <<<"${SUBVOLUMES[$a]}"; then
                 mount -o "$OPTIONS3${CONFIGS[$a]}" "$3" "/mnt${SUBVOLUMES[$a]}"
             else
                 mount -o "$2${CONFIGS[$a]}" "$3" "/mnt${SUBVOLUMES[$a]}"
             fi
-            mkdir "/mnt${SUBVOLUMES[$a]}.snapshots"
+            mkdir -p "/mnt${SUBVOLUMES[$a]}.snapshots"
             mount -o "$OPTIONS3${CONFIGS[$a]}_snapshots" "$3" "/mnt${SUBVOLUMES[$a]}.snapshots"
         fi
     done
@@ -200,7 +200,7 @@ for ((i = 0; i < SUBVOLUMES_LENGTH; i++)); do
     case "${SUBVOLUMES[$i]}" in
     "/")
         mount -o "$OPTIONS0" /dev/mapper/vg0-lv0 "/mnt${SUBVOLUMES[$i]}"
-        mkdir "/mnt${SUBVOLUMES[$i]}.snapshots"
+        mkdir -p "/mnt${SUBVOLUMES[$i]}.snapshots"
         mount -o "${OPTIONS3}snapshots" /dev/mapper/vg0-lv0 "/mnt${SUBVOLUMES[$i]}.snapshots"
         ;;
     "/usr/")
@@ -216,12 +216,12 @@ for ((i = 0; i < SUBVOLUMES_LENGTH; i++)); do
 done
 chmod 775 /mnt/var/games
 ## /efi
-mkdir /mnt/efi
+mkdir -p /mnt/efi
 mount -o noexec,nodev,nosuid "$DISK1P1" /mnt/efi
-mkdir /mnt/.efi.bak
+mkdir -p /mnt/.efi.bak
 mount -o noexec,nodev,nosuid "$DISK2P1" /mnt/.efi.bak
 ## /boot
-mkdir /mnt/boot
+mkdir -p /mnt/boot
 
 # Set SSD state to "frozen" after sleep
 for link in /dev/disk/by-id/*; do
@@ -293,6 +293,6 @@ sed -i "/$STRING0/s/$STRING1/$STRING1,noauto/" "$FILE"
 ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf
 
 # Prepare /mnt/git/arch-install
-mkdir /mnt/git
+mkdir -p /mnt/git
 mv "$SCRIPT_DIR" /mnt/git/
 chmod +x /mnt/git/arch-install/setup.sh
diff --git a/setup.sh b/setup.sh
index a0b1e9e5..ae5710c0 100644
--- a/setup.sh
+++ b/setup.sh
@@ -173,6 +173,9 @@ MD0UUID="$(blkid -s UUID -o value /dev/md/md0)"
 {
     echo "md0_crypt UUID=$MD0UUID none luks,key-slot=0"
 } >/etc/crypttab
+## Create /etc/encryption/keys directory
+mkdir -p /etc/encryption/keys
+chown 700 /etc/encryption/keys
 ## Configure /etc/localtime /etc/vconsole.conf /etc/hostname /etc/hosts
 ln -sf /usr/share/zoneinfo/"$TIMEZONE" /etc/localtime
 hwclock --systohc
diff --git a/sysuser.sh b/sysuser.sh
index 0ef0774a..b741ee4b 100644
--- a/sysuser.sh
+++ b/sysuser.sh
@@ -21,5 +21,8 @@ cp "$SCRIPT_DIR/post.sh" ~/
 cp "$SCRIPT_DIR/install.conf" ~/
 chmod +x ~/post.sh
 
+# Create backups directory
+mkdir -p ~/backups
+
 # Remove repo
 rm -rf ~/git