diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh
index e5625fa..5262b6b 100644
--- a/ccp/modules/datashield-setup.sh
+++ b/ccp/modules/datashield-setup.sh
@@ -9,7 +9,6 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
   OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")"
   RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")"
   DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
   if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
     mkdir -p /tmp/bridgehead/
     chown -R bridgehead:docker /tmp/bridgehead/
diff --git a/ccp/vars b/ccp/vars
index ea6ff71..46bc917 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -23,6 +23,7 @@ KEYCLOAK_URL="https://login.verbis.dkfz.de"
 KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}"
 KEYCLOAK_GROUP_CLAIM="groups"
 OAUTH2_CALLBACK=/oauth2/callback
+OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
 
 add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"