diff --git a/auth/auth-module.nix b/auth/auth-module.nix
index f75334e..4d6c4cd 100644
--- a/auth/auth-module.nix
+++ b/auth/auth-module.nix
@@ -14,9 +14,14 @@ let
     in
     pkgs.writeShellScript
       "${oauthClientID}-kanidm-ExecStartPre-script.sh" ''
-      [ -f "${secretFP}" ] || \
-        "${lib.getExe pkgs.openssl}" rand -base64 -out "${secretFP}" 32 && \
+      set -o pipefail
+      set -o errexit
+      if ! [ -f "${secretFP}" ]
+      then
+        "${lib.getExe pkgs.openssl}" rand -base64 32 \
+        | tr "\n:@/+=" "012345" > "${secretFP}"
         chmod 640 "${secretFP}"
+      fi
     '';
   mkKanidmExecStartPostScript = oauthClientID: linuxGroup:
     let