diff --git a/scripts/deploy-to-target.sh b/scripts/deploy-to-target.sh
index 23faed9b..5bfebb12 100755
--- a/scripts/deploy-to-target.sh
+++ b/scripts/deploy-to-target.sh
@@ -681,6 +681,9 @@ PYEOF
       sudo mkdir -p /var/lib/archipelago/identities
       sudo mkdir -p /var/lib/archipelago/tor-config
       sudo chown -R archipelago:archipelago /var/lib/archipelago/dwn /var/lib/archipelago/content /var/lib/archipelago/federation /var/lib/archipelago/identities /var/lib/archipelago/tor-config 2>/dev/null || true
+      # Fix secrets directory ownership (must be readable by archipelago user, not root)
+      sudo chown -R archipelago:archipelago /var/lib/archipelago/secrets 2>/dev/null || true
+      sudo chmod 700 /var/lib/archipelago/secrets 2>/dev/null || true
       # Fix any root-owned config files in data dir (dead man's switch, sessions, etc.)
       sudo find /var/lib/archipelago -maxdepth 1 -name '*.json' -user root -exec chown archipelago:archipelago {} \; 2>/dev/null || true
       echo "   Data directories OK"