diff --git a/bin/renovatepls b/bin/renovatepls
index bf15c57..a792947 100755
--- a/bin/renovatepls
+++ b/bin/renovatepls
@@ -13,7 +13,7 @@ export RENOVATE_HOST_RULES="[{\"hostType\": \"github\", \"domainName\": \"github
 export RENOVATE_DOCKER_USER="${RENOVATE_DOCKER_USER_AND_GROUP}"
 
 # used as the git signing key only to sign commits/tags
-GPG_KEY="$(gpg --armor --export-secret-keys "${SIGNING_KEY}")"
+GPG_KEY="$(gpg --armor --lock-never --no-symkey-cache --disable-dirmngr --export-secret-keys "${SIGNING_KEY}")"
 
 export RENOVATE_GIT_PRIVATE_KEY="${GPG_KEY}"
 # enable custom (i.e. self-hosted) rust crate registries
diff --git a/etc/systemd/system/renovate.service b/etc/systemd/system/renovate.service
index b17cc60..235f4cd 100644
--- a/etc/systemd/system/renovate.service
+++ b/etc/systemd/system/renovate.service
@@ -38,8 +38,7 @@ ReadWritePaths=/home/renovate-bot/.npm
 
 NoNewPrivileges=True
 ProtectSystem=strict
-; home dir rw access is needed for gpg
-; ProtectHome=read-only
+ProtectHome=read-only
 ProtectProc=invisible
 ProcSubset=pid