diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes
new file mode 100644
index 0000000..17ef601
--- /dev/null
+++ b/.git-crypt/.gitattributes
@@ -0,0 +1,3 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
diff --git a/.git-crypt/keys/default/0/7FD58D9A196DCEEEAD671F94F4D7A7915DEA789B.gpg b/.git-crypt/keys/default/0/7FD58D9A196DCEEEAD671F94F4D7A7915DEA789B.gpg
new file mode 100644
index 0000000..59251f9
Binary files /dev/null and b/.git-crypt/keys/default/0/7FD58D9A196DCEEEAD671F94F4D7A7915DEA789B.gpg differ
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..c309941
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+private_dotfiles/** filter=git-crypt diff=git-crypt
diff --git a/.gitignore b/.gitignore
index cc35c0f..494f98c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,3 @@
-private_dotfiles
-private_dotfiles/**
 installed-prefs
 *.swp
 *~
diff --git a/README.md b/README.md
index ef66b51..d119f5a 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,10 @@ packages I like installed, and an ever-growing setup script.  There are various
 options to install just parts of it, such as on a machine where I only have a
 user account but no root.
 
+This now uses [git-crypt](https://github.com/AGWA/git-crypt) to protect
+`private_dotfiles` for things I don't want to splash all over the internet. :)
+I still wouldn't check in anything terribly sensitive, like private keys.
+
 ### Usefulness ###
 Mostly I post this to github so I can quickly grab the things I want, but it
 might also be useful to others.  Feel free to raise an issue if you have any
@@ -22,6 +26,8 @@ MINIMAL: Don't do things that require git clones or installation of anything
   not included in my .skel.  (Defaults to 0, installs everything.)
 INSTALL_KEYS: Install GnuPG and SSH keys.  SSH keys are placed in
   authorized_keys. (Defaults to 1, installs keys.)
+TRUST_ALL_KEYS: Allow all keys to be used for SSH login, versus a small subset.
 INSTALL_PKGS: Install common packages, if on a Debian-like system.
   (Defaults to opposite of $MINIMAL.)
+SAVE: Save the install options to ${BASEDIR}/installed-prefs
 ```
diff --git a/bin/google-chrome b/bin/google-chrome
new file mode 100755
index 0000000..77c29cc
--- /dev/null
+++ b/bin/google-chrome
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+CHROME=`which google-chrome`
+
+if [ `id -u` != "0" ] ; then
+  exec $CHROME "$@"
+fi
+
+CMD="${CHROME} --user-data-dir=${HOME}/.chrome-data-dir \"$@\""
+su -c "${CMD}" chromeuser
diff --git a/deb-to-kali.sh b/deb-to-kali.sh
index a105a4c..03d6cc9 100755
--- a/deb-to-kali.sh
+++ b/deb-to-kali.sh
@@ -8,12 +8,9 @@ fi
 BASEDIR=`dirname $0`
 
 cat >/etc/apt/sources.list.d/kali.list <<KALI_EOF
-deb http://http.kali.org/kali sana main non-free contrib
-deb-src http://http.kali.org/kali sana main non-free contrib
-deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
-deb-src http://security.kali.org/kali-security/ sana/updates main contrib non-free
+deb http://http.kali.org/kali kali-rolling main contrib non-free
 KALI_EOF
 
-/usr/bin/apt-key add ${BASEDIR}/kali-repo.key
+/usr/bin/apt-key add ${BASEDIR}/keys/gpg/kali-repo.key
 /usr/bin/apt-get update
 /usr/bin/apt-get install -y kali-linux-full
diff --git a/dotfiles/irssi/config b/dotfiles/irssi/config
index fe7af89..1cf48ee 100644
--- a/dotfiles/irssi/config
+++ b/dotfiles/irssi/config
@@ -15,16 +15,6 @@ servers = (
     ssl_verify = "no";
     autoconnect = "yes";
   },
-  {
-    address = "chat.freenode.net";
-    chatnet = "freenode";
-    port = "7000";
-    use_ssl = "yes";
-    ssl_cert = "~/.irssi/matir.pem";
-    ssl_verify = "yes";
-    ssl_cafile = "~/.irssi/instantssl.crt";
-    autoconnect = "yes";
-  },
   {
     address = "irc.hackint.eu";
     chatnet = "hackint";
@@ -48,6 +38,17 @@ servers = (
     use_ssl = "yes";
     ssl_verify = "no";
     autoconnect = "yes";
+  },
+  {
+    address = "chat.freenode.net";
+    chatnet = "freenode";
+    port = "7000";
+    use_ssl = "yes";
+    ssl_cert = "~/.irssi/matir.pem";
+    ssl_verify = "yes";
+    ssl_capath = "/etc/ssl/certs";
+    family = "inet";
+    autoconnect = "yes";
   }
 );
 
@@ -91,7 +92,9 @@ channels = (
   { name = "#radare"; chatnet = "freenode"; autojoin = "yes"; },
   { name = "#vulnhub"; chatnet = "freenode"; autojoin = "yes"; },
   { name = "#redditnet"; chatnet = "geekshed"; autojoin = "yes"; },
-  { name = "#rpisec"; chatnet = "rpisec"; autojoin = "yes"; }
+  { name = "#rpisec"; chatnet = "rpisec"; autojoin = "yes"; },
+  { name = "#offsec"; chatnet = "freenode"; autojoin = "yes"; },
+  { name = "#offtopicsec"; chatnet = "freenode"; autojoin = "yes"; }
 );
 
 aliases = {
@@ -271,6 +274,13 @@ statusbar = {
         barend = { priority = "100"; alignment = "right"; };
       };
     };
+    awl_2 = {
+      items = {
+        barstart = { priority = "100"; };
+        awl_2 = { };
+        barend = { priority = "100"; alignment = "right"; };
+      };
+    };
   };
 };
 settings = {
@@ -293,14 +303,9 @@ settings = {
     awl_shared_sbar = "OFF";
     awl_viewer = "no";
     awl_block = "-15";
-    awl_maxlines = "2";
+    awl_maxlines = "3";
     awl_height_adjust = "2";
-  };
-};
-logs = {
-  "~/irc.log.Window7" = {
-    level = "ALL";
-    items = ( { type = "window"; name = "7"; } );
+    awl_hide_empty = "0";
   };
 };
 windows = {
@@ -407,3 +412,4 @@ windows = {
   };
 };
 mainwindows = { 1 = { first_line = "1"; lines = "78"; }; };
+logs = { };
diff --git a/dotfiles/irssi/default.theme b/dotfiles/irssi/default.theme
index ac99356..be5d086 100644
--- a/dotfiles/irssi/default.theme
+++ b/dotfiles/irssi/default.theme
@@ -292,3 +292,6 @@ abstracts = {
   # hilight with specified color, $0 = color, $1 = text
   sb_act_hilight_color = "$0$1-%n";
 };
+formats = {
+  "Irssi::Script::adv_windowlist" = { awl_display_header = ""; };
+};
diff --git a/dotfiles/ssh/config b/dotfiles/ssh/config
index ecd375b..b45b76e 100644
--- a/dotfiles/ssh/config
+++ b/dotfiles/ssh/config
@@ -11,3 +11,4 @@ Host *
 	ForwardX11		no
 	ForwardX11Trusted	no
 	ServerAliveInterval 120
+	CheckHostIP no
diff --git a/dotfiles/zshrc b/dotfiles/zshrc
index a8d3107..d1e20ab 100644
--- a/dotfiles/zshrc
+++ b/dotfiles/zshrc
@@ -31,6 +31,9 @@ zstyle ':completion:*:default' list-colors ${(s.:.)LS_COLORS}
 
 # Load oh-my-zsh
 if [ -d $HOME/.oh-my-zsh ] ; then
+  # Override gnome-keyring
+  unset SSH_AUTH_SOCK
+  unset SSH_AGENT_PID
   ZSH=$HOME/.oh-my-zsh
   ZSH_THEME="matir"
   ZSH_CUSTOM="$HOME/.zsh_custom"
diff --git a/install.sh b/install.sh
index a10990a..bafbb6b 100755
--- a/install.sh
+++ b/install.sh
@@ -5,9 +5,11 @@ set errexit
 
 function prerequisites {
   if which zsh > /dev/null ; then
-    if [[ `getent passwd $USER | cut -d: -f7` != */zsh ]] ; then
-      echo 'Enter password to change shell.' >&2
-      chsh -s `which zsh`
+    if [[ $- == *i* ]] ; then
+      if [[ `getent passwd $USER | cut -d: -f7` != */zsh ]] ; then
+        echo 'Enter password to change shell.' >&2
+        chsh -s `which zsh`
+      fi
     fi
     install_git https://github.com/robbyrussell/oh-my-zsh.git $HOME/.oh-my-zsh
   else
@@ -200,6 +202,7 @@ function install_chrome {
   run_as_root /usr/bin/dpkg -i ${TMPD}/google-chrome.deb || \
     run_as_root /usr/bin/apt-get install -qq -f -y || \
     ( echo "Could not install chrome." >&2 && return 1 )
+  rm -rf ${TMPD}
 }
 
 function read_saved_prefs {
@@ -271,6 +274,7 @@ ARCH=`uname -m`
 (( $INSTALL_PKGS )) && is_deb_system && install_apt_pkgs
 install_dotfile_dir "${BASEDIR}/dotfiles"
 test -d "${BASEDIR}/private_dotfiles" && \
+  test -d "${BASEDIR}/.git/git-crypt" && \
   install_dotfile_dir "${BASEDIR}/private_dotfiles"
 install_basic_dir "${BASEDIR}/bin" "${HOME}/bin"
 (( $MINIMAL )) || postinstall
diff --git a/kali-repo.key b/keys/gpg/kali-repo.key
similarity index 100%
rename from kali-repo.key
rename to keys/gpg/kali-repo.key
diff --git a/private_dotfiles/irssi/sasl.auth b/private_dotfiles/irssi/sasl.auth
new file mode 100644
index 0000000..5841f87
Binary files /dev/null and b/private_dotfiles/irssi/sasl.auth differ
diff --git a/private_dotfiles/ssh/config b/private_dotfiles/ssh/config
new file mode 100644
index 0000000..f77467c
Binary files /dev/null and b/private_dotfiles/ssh/config differ