diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix
index ebf440c4e..4dd0fd722 100644
--- a/lass/3modules/sync-containers.nix
+++ b/lass/3modules/sync-containers.nix
@@ -10,8 +10,6 @@ with import <stockholm/lib>;
     plain = ''
     '';
     ecryptfs = ''
-      # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails
-      echo 4 | ${pkgs.ecryptfs}/bin/ecryptfs-manager
       if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
         if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
           ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
diff --git a/lass/5pkgs/ecrypt/default.nix b/lass/5pkgs/ecrypt/default.nix
index 9bb35a8dc..f83f8cfe7 100644
--- a/lass/5pkgs/ecrypt/default.nix
+++ b/lass/5pkgs/ecrypt/default.nix
@@ -3,7 +3,6 @@
 #usage: ecrypt mount /var/crypted /var/unencrypted
 pkgs.writers.writeDashBin "ecrypt" ''
   set -euf
-  set -x
 
   PATH=${lib.makeBinPath (with pkgs; [
     coreutils
@@ -32,6 +31,8 @@ pkgs.writers.writeDashBin "ecrypt" ''
         echo 'destination dir is not empty, aborting'
         exit 1
       else
+        # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails
+        echo 4 | ecryptfs-manager
         stty -echo
         printf "passphrase: "
         read  passphrase
@@ -59,6 +60,8 @@ pkgs.writers.writeDashBin "ecrypt" ''
       if keyctl list @u | grep -q "$old_sig"; then
         echo 'pw already saved'
       else
+        # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails
+        echo 4 | ecryptfs-manager
         stty -echo
         printf "passphrase: "
         read  passphrase