diff --git a/main.go b/main.go
index d3559c0..ef08d2e 100644
--- a/main.go
+++ b/main.go
@@ -18,7 +18,9 @@ import (
 	"vctp/server"
 	"vctp/server/router"
 
+	"crypto/sha256"
 	"github.com/go-co-op/gocron/v2"
+	"log/slog"
 )
 
 var (
@@ -29,9 +31,10 @@ var (
 	cronInvFrequency       time.Duration
 	cronSnapshotFrequency  time.Duration
 	cronAggregateFrequency time.Duration
-	encryptionKey          = []byte("5L1l3B5KvwOCzUHMAlCgsgUTRAYMfSpa")
 )
 
+const fallbackEncryptionKey = "5L1l3B5KvwOCzUHMAlCgsgUTRAYMfSpa"
+
 func main() {
 	settingsPath := flag.String("settings", "/etc/dtms/vctp.yml", "Path to settings YAML")
 	flag.Parse()
@@ -119,7 +122,8 @@ func main() {
 	}
 
 	// Load vcenter credentials from serttings, decrypt if required
-	a := secrets.New(logger, encryptionKey)
+	encKey := deriveEncryptionKey(logger)
+	a := secrets.New(logger, encKey)
 	vcEp := strings.TrimSpace(s.Values.Settings.VcenterPassword)
 	if len(vcEp) == 0 {
 		logger.Error("No vcenter password configured")
@@ -231,6 +235,7 @@ func main() {
 		gocron.NewTask(func() {
 			ct.RunSnapshotCleanup(ctx, logger)
 			if strings.EqualFold(s.Values.Settings.DatabaseDriver, "sqlite") {
+				logger.Info("Performing sqlite VACUUM after snapshot cleanup")
 				if _, err := ct.Database.DB().ExecContext(ctx, "VACUUM"); err != nil {
 					logger.Warn("VACUUM failed after snapshot cleanup", "error", err)
 				} else {
@@ -290,3 +295,26 @@ func durationFromSeconds(value int, fallback int) time.Duration {
 	}
 	return time.Second * time.Duration(value)
 }
+
+func deriveEncryptionKey(logger *slog.Logger) []byte {
+	if runtime.GOOS == "linux" {
+		if data, err := os.ReadFile("/sys/class/dmi/id/product_uuid"); err == nil {
+			src := strings.TrimSpace(string(data))
+			if src != "" {
+				sum := sha256.Sum256([]byte(src))
+				logger.Debug("derived encryption key from BIOS UUID")
+				return sum[:]
+			}
+		}
+		if data, err := os.ReadFile("/etc/machine-id"); err == nil {
+			src := strings.TrimSpace(string(data))
+			if src != "" {
+				sum := sha256.Sum256([]byte(src))
+				logger.Debug("derived encryption key from machine-id")
+				return sum[:]
+			}
+		}
+	}
+	logger.Warn("using fallback encryption key; hardware UUID not available")
+	return []byte(fallbackEncryptionKey)
+}