diff --git a/modules/nixos/bin-bash-wrapper.nix b/modules/nixos/bin-bash-wrapper.nix
index cc0716f..3068129 100644
--- a/modules/nixos/bin-bash-wrapper.nix
+++ b/modules/nixos/bin-bash-wrapper.nix
@@ -9,6 +9,9 @@ let
   bashWrapper = pkgs.writeShellScriptBin "bash" ''
     exec /usr/bin/env bash "$@"
   '';
+  cryptrootUnlockWrapper = pkgs.writeShellScriptBin "cryptroot-unlock" ''
+    exec /run/current-system/sw/bin/systemd-tty-ask-password-agent --query --watch "$@"
+  '';
 in
 {
   options.my.binBashWrapper.enable = lib.mkEnableOption "create a /bin/bash wrapper";
@@ -16,6 +19,7 @@ in
   config = lib.mkIf cfg.enable {
     systemd.tmpfiles.rules = [
       "L+ /bin/bash - - - - ${bashWrapper}/bin/bash"
+      "L+ /bin/cryptroot-unlock - - - - ${cryptrootUnlockWrapper}/bin/cryptroot-unlock"
     ];
   };
 }