diff --git a/machine-confs/generic.nix b/machine-confs/generic.nix
index 0ecb2dc..56a4df9 100644
--- a/machine-confs/generic.nix
+++ b/machine-confs/generic.nix
@@ -9,7 +9,4 @@
 
   #Many installs will need this, and it won't hurt either way
   services.qemuGuest.enable = true;
-
-  #Prevent user from being locked out of the system before switching to proper config
-  users.mutableUsers = pkgs.lib.mkForce true;
 }
diff --git a/misc/custom-iso-base.nix b/misc/custom-iso-base.nix
index 7887da7..9b7f03c 100644
--- a/misc/custom-iso-base.nix
+++ b/misc/custom-iso-base.nix
@@ -1,28 +1,48 @@
 { config, pkgs, ... }:
 let
-  partition-and-install = pkgs.writeScriptBin "partition-and-install" ''
-    read -p "Erasing disk $1 Are you sure? " -n 1 -r
+  create-partitions = pkgs.writeScriptBin "create-partitions" ''
+    if [[ $# -ne 3 ]]
+    then
+      echo "Usage: create-partitions <device prefix> <BOOT suffix> <root suffix>"
+      exit
+    fi
+
+    read -p "Erasing disk $1 -- Creating partition $1$2 as BOOT -- Creating partition $1$3 as root -- Are you sure? " -n 1 -r
     echo
     if [[ $REPLY =~ ^[Yy]$ ]]
     then
       parted $1 -- mklabel gpt
-      parted $1 -- mkpart root ext4 512MB 100%
       parted $1 -- mkpart ESP fat32 1MB 512MB
-      parted $1 -- set 2 esp on
+      parted $1 -- set 1 esp on
+      parted $1 -- mkpart root ext4 512MB 100%
+    fi
 
-      mkfs.ext4 -L nixos $1$2
-      mkfs.fat -F 32 -n BOOT $1$3
+    read -p "Setup root partition encryption?" -n 1 -r
+    echo
+    if [[ $REPLY =~ ^[Yy]$ ]]
+    then
+      cryptsetup luksFormat $1
+      cryptsetup open $1 nixos
 
-      mount /dev/disk/by-label/nixos /mnt
-      mkdir /mnt/boot
-      mount -o umask=077 /dev/disk/by-label/BOOT /mnt/boot
-
-      fetch-config
-
-      nixos-install
+      echo "Encrypted device accessible via /dev/mapper/nixos"
     fi
   '';
-  fetch-config = pkgs.writeScriptBin "fetch-config" ''
+  make-filesystems = pkgs.writeScriptBin "make-filesystems" ''
+    if [[ $# -ne 2 ]]
+    then
+      echo "Usage: make-filesystems <BOOT partition> <root partition>"
+      exit
+    fi
+
+    mkfs.fat -F 32 -n BOOT $1
+    mkfs.ext4 -L nixos $2
+  '';
+  prep-install = pkgs.writeScriptBin "prep-install" ''
+    mkdir /mnt
+    mount /dev/disk/by-label/nixos /mnt
+    mkdir /mnt/boot
+    mount -o umask=077 /dev/disk/by-label/BOOT /mnt/boot
+
     nixos-generate-config --root /mnt
     mv /mnt/etc/nixos/configuration.nix configuration.nix.old
     curl https://raw.githubusercontent.com/VSinerva/nixos-conf/main/misc/template-configuration.nix -o /mnt/etc/nixos/configuration.nix
@@ -35,13 +55,14 @@ in
   ];
 
   environment.systemPackages = [
-    partition-and-install
-    fetch-config
+    pkgs.cryptsetup
+    create-partitions
+    make-filesystems
+    prep-install
   ];
 
+  isoImage.squashfsCompression = "gzip -Xcompression-level 1";
+
   #Many installs will need this, and it won't hurt either way
   services.qemuGuest.enable = true;
-
-  #Prevent user from being locked out of the system before switching to proper config
-  users.mutableUsers = pkgs.lib.mkForce true;
 }