diff --git a/pegleg/cli.py b/pegleg/cli.py
index 0aac9f6a..557654e3 100644
--- a/pegleg/cli.py
+++ b/pegleg/cli.py
@@ -545,7 +545,7 @@ def wrap_secret_cli(*, site_name, author, file_name, output_path, schema,
 def genesis_bundle(*, build_dir, validators, site_name):
     passphrase = os.environ.get("PEGLEG_PASSPHRASE")
     salt = os.environ.get("PEGLEG_SALT")
-    encryption_key = passphrase
+    encryption_key = os.environ.get("PROMENADE_ENCRYPTION_KEY")
     if passphrase:
         passphrase = passphrase.encode()
     if salt:
@@ -558,7 +558,8 @@ def genesis_bundle(*, build_dir, validators, site_name):
                          encryption_key,
                          validators,
                          logging.DEBUG == LOG.getEffectiveLevel(),
-                         site_name)
+                         site_name
+                         )
 
 
 @secrets.command(
diff --git a/pegleg/engine/bundle.py b/pegleg/engine/bundle.py
index c498298e..665c1b76 100644
--- a/pegleg/engine/bundle.py
+++ b/pegleg/engine/bundle.py
@@ -78,8 +78,6 @@ def build_genesis(build_path, encryption_key, validators, debug, site_name):
             allow_missing_substitutions=False,
             leave_kubectl=False)
         if c.get_path('EncryptionPolicy:scripts.genesis') and encryption_key:
-            os.environ['PROMENADE_ENCRYPTION_KEY'] = encryption_key
-            os.environ['PEGLEG_PASSPHRASE'] = encryption_key
             Builder(c, validators=validators).build_all(output_dir=build_path)
         else:
             raise GenesisBundleEncryptionException()