diff --git a/.drone.yml b/.drone.yml
index 4d9eadb..5b6a5d1 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -19,6 +19,9 @@ steps:
     INFECT_COMMIT_SHA: ${DRONE_COMMIT_SHA}
 
   commands:
+  - set -o nounset
+  - > # TODO pass Base64 encoded password from Drone instead of this
+    ENCODED_PASSWORD="$(base64 <<<"$USER_PASS")"
   # Create infect user script and then push it to a remote machine on server creation.
   - |
     cat << EOF > infect.sh
@@ -34,6 +37,7 @@ steps:
     DNS_PROVIDER_TOKEN=$CLOUDFLARE_TOKEN
     DNS_PROVIDER_TYPE=CLOUDFLARE
     DOMAIN=$DOMAIN
+    ENCODED_PASSWORD="$ENCODED_PASSWORD"
     HOSTNAME=selfprivacy-ci-test
     LUSER=cicdcicd
     NIXOS_CONFIG_ID=default
@@ -41,7 +45,6 @@ steps:
     PROVIDER=hetzner
     SSH_AUTHORIZED_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBb3yVhYF4slhf1iQCiGLOVcbGKP/MmkQiEMl2un+4K"
     STAGING_ACME=true
-    USER_PASS="$USER_PASS"
 
     curl --fail https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect/raw/commit/$INFECT_COMMIT_SHA/nixos-infect \
     | bash 2>&1 | tee /root/nixos-infect.log
diff --git a/nixos-infect b/nixos-infect
index 3d24392..b04f95a 100755
--- a/nixos-infect
+++ b/nixos-infect
@@ -13,7 +13,7 @@
 : "${STAGING_ACME:?STAGING_ACME variable is not set}"
 : "${DNS_PROVIDER_TOKEN:?DNS_PROVIDER_TOKEN variable is not set}"
 : "${DB_PASSWORD:?DB_PASSWORD variable is not set}"
-: "${USER_PASS:?USER_PASS variable is not set}"
+: "${ENCODED_PASSWORD:?ENCODED_PASSWORD variable is not set}"
 : "${NIX_VERSION:?NIX_VERSION variable is not set}"
 : "${NIXOS_CONFIG_ID:?NIXOS_CONFIG_ID variable is not set}"
 : "${CONFIG_URL:?CONFIG_URL variable is not set}"
@@ -293,6 +293,12 @@ findESP() {
 }
 
 prepareEnv() {
+  if ! USER_PASS="$(base64 -d <<<"$ENCODED_PASSWORD")"; then
+      echo "Error decoding ENCODED_PASSWORD from Base64!"
+      exit 1
+  fi
+  readonly USER_PASS
+
   isEFI=0
   [ -d /sys/firmware/efi ] && isEFI=1