diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 316f173..5dfe5b7 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -183,6 +183,7 @@ jobs:
install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+ install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
@@ -196,6 +197,7 @@ jobs:
echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt
echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt
+ echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}" >| /dev/shm/cdlb_secrets/signing_ca.asc
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt
@@ -205,16 +207,19 @@ jobs:
chmod 0700 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+ chmod 0400 /dev/shm/cdlb_secrets/*
./ciss_live_builder.sh \
--architecture amd64 \
--autobuild=6.17.8+deb13-amd64 \
--build-directory /opt/cdlb \
--cdi \
+ --change-splash hexagon \
--control "${timestamp}" \
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
--key_age=keys.txt \
--key_luks=luks.txt \
--root-password-file /dev/shm/cdlb_secrets/password.txt \
+ --signing_ca=signing_ca.asc \
--signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
--signing_key_pass=signing_key_pass.txt \
--signing_key=signing_key.asc \
diff --git a/README.md b/README.md
index a7f4441..fec527f 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@ include_toc: true
**Build**: V8.13.536.2025.12.04
**CISS.debian.live.builder — First of its own.**
-**World-class CIA designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
+**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed
to serve as a reference implementation for hardened, image-based Debian deployments.
@@ -58,6 +58,15 @@ validation is enforced in a fail-closed manner: zones with invalid or broken sig
silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
and spoofing surfaces.
+Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
+(`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
+line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
+that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
+transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
+wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
+encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
+named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+
Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
* [CenturionDNS Resolver](https://eddns.eu/)
* [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)