diff --git a/init.sh b/init.sh
index b6f2ec4..818e6d3 100755
--- a/init.sh
+++ b/init.sh
@@ -64,12 +64,13 @@ test_repo_exists() {
 }
 invoke_borg() {
 	# do some sandboxinng
-	systemd-run --quiet --pipe --collect --unit=temp-borg-init-sandbox.service \
+	systemd-run --quiet --collect --unit=temp-borg-init-sandbox.service \
+		--pipe < /etc/borg/$NAME/borg_passphrase \
 		--working-directory=/tmp \
 		-p "ConfigurationDirectory=borg/$NAME" \
 		-p "CacheDirectory=borg/$NAME" \
-		-p "ConfigurationDirectoryMode=550" \
-		-p "CacheDirectoryMode=550" \
+		-p "ConfigurationDirectoryMode=750" \
+		-p "CacheDirectoryMode=750" \
 		-p "PrivateTmp=yes" \
 		-p "ReadOnlyDirectories=/" \
 		-p "EnvironmentFile=/etc/borg/$NAME/config.env" \
@@ -77,7 +78,7 @@ invoke_borg() {
 		--setenv=BORG_BASE_DIR=/tmp/ \
 		--setenv=BORG_CONFIG_DIR=/etc/borg/$NAME \
 		--setenv=BORG_CACHE_DIR=/var/cache/borg/$NAME \
-		/usr/bin/borg $@ < /etc/borg/$NAME/borg_passphrase
+		/usr/bin/borg $@
 }
 init_repo() {
 	echo "> init repo"