diff --git a/server/lib/getEnvOrYaml.ts b/server/lib/getEnvOrYaml.ts
new file mode 100644
index 00000000..62081cef
--- /dev/null
+++ b/server/lib/getEnvOrYaml.ts
@@ -0,0 +1,3 @@
+export const getEnvOrYaml = (envVar: string) => (valFromYaml: any) => {
+    return process.env[envVar] ?? valFromYaml;
+};
diff --git a/server/lib/readConfigFile.ts b/server/lib/readConfigFile.ts
index 90ebdc89..362210ae 100644
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -3,13 +3,10 @@ import yaml from "js-yaml";
 import { configFilePath1, configFilePath2 } from "./consts";
 import { z } from "zod";
 import stoi from "./stoi";
+import { getEnvOrYaml } from "./getEnvOrYaml";
 
 const portSchema = z.number().positive().gt(0).lte(65535);
 
-const getEnvOrYaml = (envVar: string) => (valFromYaml: any) => {
-    return process.env[envVar] ?? valFromYaml;
-};
-
 export const configSchema = z
     .object({
         app: z
@@ -311,7 +308,10 @@ export const configSchema = z
             .object({
                 smtp_host: z.string().optional(),
                 smtp_port: portSchema.optional(),
-                smtp_user: z.string().optional(),
+                smtp_user: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("EMAIL_SMTP_USER")),
                 smtp_pass: z
                     .string()
                     .optional()
diff --git a/server/private/lib/certificates.ts b/server/private/lib/certificates.ts
index 06571cac..bc1dffcd 100644
--- a/server/private/lib/certificates.ts
+++ b/server/private/lib/certificates.ts
@@ -19,7 +19,6 @@ import * as fs from "fs";
 import logger from "@server/logger";
 import cache from "@server/lib/cache";
 
-let encryptionKeyPath = "";
 let encryptionKeyHex = "";
 let encryptionKey: Buffer;
 function loadEncryptData() {
@@ -27,15 +26,7 @@ function loadEncryptData() {
         return; // already loaded
     }
 
-    encryptionKeyPath = config.getRawPrivateConfig().server.encryption_key_path;
-
-    if (!fs.existsSync(encryptionKeyPath)) {
-        throw new Error(
-            "Encryption key file not found. Please generate one first."
-        );
-    }
-
-    encryptionKeyHex = fs.readFileSync(encryptionKeyPath, "utf8").trim();
+    encryptionKeyHex = config.getRawPrivateConfig().server.encryption_key;
     encryptionKey = Buffer.from(encryptionKeyHex, "hex");
 }
 
diff --git a/server/private/lib/readConfigFile.ts b/server/private/lib/readConfigFile.ts
index 374dee7c..3fa7f060 100644
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -17,6 +17,7 @@ import { privateConfigFilePath1 } from "@server/lib/consts";
 import { z } from "zod";
 import { colorsSchema } from "@server/lib/colorsSchema";
 import { build } from "@server/build";
+import { getEnvOrYaml } from "@server/lib/getEnvOrYaml";
 
 const portSchema = z.number().positive().gt(0).lte(65535);
 
@@ -32,19 +33,25 @@ export const privateConfigSchema = z.object({
         }),
     server: z
         .object({
-            encryption_key_path: z
+            encryption_key: z
                 .string()
                 .optional()
-                .default("./config/encryption.pem")
-                .pipe(z.string().min(8)),
-            resend_api_key: z.string().optional(),
-            reo_client_id: z.string().optional(),
-            fossorial_api_key: z.string().optional()
+                .transform(getEnvOrYaml("SERVER_ENCRYPTION_KEY")),
+            resend_api_key: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("RESEND_API_KEY")),
+            reo_client_id: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("REO_CLIENT_ID")),
+            fossorial_api_key: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("FOSSORIAL_API_KEY"))
         })
         .optional()
-        .default({
-            encryption_key_path: "./config/encryption.pem"
-        }),
+        .prefault({}),
     redis: z
         .object({
             host: z.string(),
@@ -157,8 +164,11 @@ export const privateConfigSchema = z.object({
         .optional(),
     stripe: z
         .object({
-            secret_key: z.string(),
-            webhook_secret: z.string(),
+            secret_key: z.string().optional().transform(getEnvOrYaml("STRIPE_SECRET_KEY")),
+            webhook_secret: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET")),
             s3Bucket: z.string(),
             s3Region: z.string().default("us-east-1"),
             localFilePath: z.string()
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index a398dfe6..0e5d1ec2 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -186,7 +186,7 @@ export type ResourceWithAuth = {
     password: ResourcePassword | null;
     headerAuth: ResourceHeaderAuth | null;
     headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
-    org: Org
+    org: Org;
 };
 
 export type UserSessionWithUser = {
@@ -270,7 +270,6 @@ hybridRouter.get(
     }
 );
 
-let encryptionKeyPath = "";
 let encryptionKeyHex = "";
 let encryptionKey: Buffer;
 function loadEncryptData() {
@@ -278,16 +277,8 @@ function loadEncryptData() {
         return; // already loaded
     }
 
-    encryptionKeyPath =
-        privateConfig.getRawPrivateConfig().server.encryption_key_path;
-
-    if (!fs.existsSync(encryptionKeyPath)) {
-        throw new Error(
-            "Encryption key file not found. Please generate one first."
-        );
-    }
-
-    encryptionKeyHex = fs.readFileSync(encryptionKeyPath, "utf8").trim();
+    encryptionKeyHex =
+        privateConfig.getRawPrivateConfig().server.encryption_key;
     encryptionKey = Buffer.from(encryptionKeyHex, "hex");
 }