diff --git a/.buildkite/cryptic_repo_keys/.gitignore b/.buildkite/cryptic_repo_keys/.gitignore
new file mode 100644
index 0000000000000..8d18931dbcf7c
--- /dev/null
+++ b/.buildkite/cryptic_repo_keys/.gitignore
@@ -0,0 +1,5 @@
+# Ignore the unencrypted repo_key
+repo_key
+
+# Ignore any agent keys (public or private) we have stored
+agent_key*
diff --git a/.buildkite/pipelines/main/misc/signed_pipeline_test.yml b/.buildkite/pipelines/main/misc/signed_pipeline_test.yml
index fb13ac15a8d65..1d59253d43bce 100644
--- a/.buildkite/pipelines/main/misc/signed_pipeline_test.yml
+++ b/.buildkite/pipelines/main/misc/signed_pipeline_test.yml
@@ -5,6 +5,10 @@ agents:
 ## pipeline that showcases decryption of environment variable
 steps:
   - label: ":lock: :rocket: Signed pipeline test"
+    # We must accept the signed job id secret in order to propagate secrets
+    env:
+      BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}
+    depends_on:
     plugins:
       - staticfloat/cryptic#v1:
           variables:
@@ -12,6 +16,3 @@ steps:
     commands: |
       echo "SECRET_KEY: $${SECRET_KEY}"
 
-# We must accept the signed job id secret in order to propagate secrets
-env:
-  BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}
diff --git a/.buildkite/pipelines/main/misc/signed_pipeline_test.yml.signature b/.buildkite/pipelines/main/misc/signed_pipeline_test.yml.signature
index 10220c758086a..299f959c1db10 100644
Binary files a/.buildkite/pipelines/main/misc/signed_pipeline_test.yml.signature and b/.buildkite/pipelines/main/misc/signed_pipeline_test.yml.signature differ
diff --git a/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml b/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml
index 00ed8715645e2..b16b7e8af82dd 100644
--- a/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml
+++ b/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml
@@ -5,6 +5,10 @@ agents:
   os: "linux"
 steps:
   - label: ":unlock: :coverage: Run coverage test"
+    # We must accept the signed job id secret in order to propagate secrets
+    env:
+      BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}
+    depends_on:
     plugins:
       - staticfloat/cryptic:
           variables:
@@ -39,6 +43,3 @@ steps:
       ./julia .buildkite/pipelines/scheduled/coverage/upload_coverage.jl
     timeout_in_minutes: 240 # 240 minutes = 4 hours
 
-# We must accept the signed job id secret in order to propagate secrets
-env:
-  BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}
diff --git a/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml.signature b/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml.signature
index 163f352241682..840a19cccfec2 100644
--- a/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml.signature
+++ b/.buildkite/pipelines/scheduled/coverage/coverage_linux64.yml.signature
@@ -1,2 +1 @@
-Salted__bUß,l-!FGwœ­(åWAƒI©ÚrÌl²‹4…ÄqÓ# R})(w’Óröíˆ=;yEsI¡FO}ÂH$›×FEb¨Ž×
-3×›uU¢f
\ No newline at end of file
+Salted__»…@P=já·îöRüž”U(§,~¯p @QÍã¾Š¹Ï÷'h7›ÎOMJþ¸àg‰“t<îA«(³v?É´<,:€júÖîY'oëóÚ¥ÏƒdÙ›
\ No newline at end of file