diff --git a/nix/configuration/roles/boot/default.nix b/nix/configuration/roles/boot/default.nix
index 3ccb635..acef3a1 100644
--- a/nix/configuration/roles/boot/default.nix
+++ b/nix/configuration/roles/boot/default.nix
@@ -75,11 +75,15 @@
       boot.lanzaboote = {
         enable = true;
         pkiBundle = "/etc/secureboot";
+        # TODO:
+        #     pkiBundle = "/var/lib/sbctl";
       };
       environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
         hideMounts = true;
         directories = [
-          "/etc/secureboot" # Secure Boot Keys
+          "/etc/secureboot" # Old Secure Boot Keys location
+          # TODO: run `doas sbctl setup --migrate` to move keys
+          "/var/lib/sbctl" # Secure Boot Keys
         ];
       };
     })