diff --git a/ansible/roles/k3s/tasks/get_k3s.yml b/ansible/roles/k3s/tasks/get_k3s.yml
index 7314d72..ae8756a 100644
--- a/ansible/roles/k3s/tasks/get_k3s.yml
+++ b/ansible/roles/k3s/tasks/get_k3s.yml
@@ -56,4 +56,17 @@
     fstype: ext4
     state: mounted
   when: kube_storage
+
+- name: ensure cryptsetup is installed
+  apt:
+    name: cryptsetup
+    state: present
+  when: kube_storage
+
+- name: ensure dm_crypt is loaded
+  modprobe:
+    name: dm_crypt
+    state: present
+    persistent: present
+  when: kube_storage
 ...
diff --git a/ansible/roles/minio/templates/minio.j2 b/ansible/roles/minio/templates/minio.j2
index ff94f1b..c7726f3 100644
--- a/ansible/roles/minio/templates/minio.j2
+++ b/ansible/roles/minio/templates/minio.j2
@@ -1,5 +1,5 @@
-MINIO_ROOT_USER={{ lookup('hashi_vault', 'secret=kv/data/minio:admin_username') }}
-MINIO_ROOT_PASSWORD={{ lookup('hashi_vault', 'secret=kv/data/minio:admin_password') }}
+MINIO_ROOT_USER={{ lookup('hashi_vault', 'secret=kv/data/minio:admin_username cacert=/etc/pki/certs/MaskedName_Root_CA.pem') }}
+MINIO_ROOT_PASSWORD={{ lookup('hashi_vault', 'secret=kv/data/minio:admin_password cacert=/etc/pki/certs/MaskedName_Root_CA.pem') }}
 MINIO_VOLUMES="{{ minio_volume }}"
 MINIO_SERVER_URL="http://ivyking.minhas.io:9000"
 MINIO_DOMAIN=ivyking.minhas.io