diff --git a/hardware-configuration.nix b/hardware-configuration.nix
index c6c6e85..5415437 100644
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@@ -4,8 +4,11 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
+  disabledModules = ["system/boot/luksroot.nix"];
+
   imports =
     [ (modulesPath + "/installer/scan/not-detected.nix")
+      ./my-luksroot.nix
     ];
 
   boot.initrd = {
@@ -23,7 +26,8 @@
           gracePeriod = 30;
           keyLength = 64;
           saltLength = 16;
-        
+          replaceKey = false;
+          
           storage = {
             device = "/dev/disk/by-partlabel/disk-main-ESP";
             fsType = "vfat";
diff --git a/my-luksroot.nix b/my-luksroot.nix
index 874b665..e69c128 100644
--- a/my-luksroot.nix
+++ b/my-luksroot.nix
@@ -275,6 +275,7 @@ let
         local new_challenge
         local new_response
         local new_k_luks
+        local replace_key
 
         mount -t ${dev.yubikey.storage.fsType} ${dev.yubikey.storage.device} /crypt-storage || \
           die "Failed to mount YubiKey salt storage device"
@@ -283,6 +284,7 @@ let
         iterations="$(cat /crypt-storage${dev.yubikey.storage.path} | sed -n 2p | tr -d '\n')"
         challenge="$(echo -n $salt | openssl-wrap dgst -binary -sha512 | rbtohex)"
         response="$(ykchalresp -${toString dev.yubikey.slot} -x $challenge 2>/dev/null)"
+        replace_key="${toString dev.yubikey.replaceKey}"
 
         for try in $(seq 3); do
             ${optionalString dev.yubikey.twoFactor ''
@@ -329,10 +331,12 @@ let
             else
                 opened=false
                 echo "Authentication failed!"
+                rm -f /crypt-ramfs/passphrase
             fi
         done
 
         [ "$opened" == false ] && die "Maximum authentication errors reached"
+        if [ "$replace_key" == "true" ]; then
 
         echo -n "Gathering entropy for new salt (please enter random keys to generate entropy if this blocks for long)..."
         for i in $(seq ${toString dev.yubikey.saltLength}); do
@@ -374,6 +378,8 @@ let
         fi
 
         rm -f /crypt-ramfs/new_key
+        fi
+
         umount /crypt-storage
     }
 
@@ -825,6 +831,12 @@ in
                   description = lib.mdDoc "Time in seconds to wait for the YubiKey.";
                 };
 
+                replaceKey = mkOption {
+                  default = true;
+                  type = types.bool;
+                  description = lib.mdDoc "Whether to replace the salt and luks key after a YubiKey was used. => Only one YubiKey can be used";
+                };
+
                 /* TODO: Add to the documentation of the current module:
 
                    Options related to the storing the salt.