diff --git a/create.sh b/create.sh
index 062be76..1bccb0c 100755
--- a/create.sh
+++ b/create.sh
@@ -20,6 +20,7 @@ install_binary $(which mkfs.ext4)
 install_binary $(which fsarchiver)
 install_kmod
 install_busybox
+install_guest_api
 
 echo_cyan "Installing scripts..."
 install_init_script
diff --git a/creator_functions.sh b/creator_functions.sh
index ba17969..06782f4 100644
--- a/creator_functions.sh
+++ b/creator_functions.sh
@@ -148,6 +148,20 @@ scan_modules() {
   done <<< "$( echo "$drivers" )"
 }
 
+install_guest_api() {
+  my_location="$(pwd)"
+  echo_blue "Building guest_api with cargo and saving log to ${my_location}/guest_api.log"
+  git clone git@gitea.detee.cloud:SNP/remote_decryption.git
+  cd remote_decryption/guest_api
+  # TODO: stick to master branch after code stabilizes
+  git checkout dtrfs
+  cargo build --release > "${my_location}/guest_api.log" 2>&1 ||
+    echo_red "Failed to build guest_api"
+  strip --discard-all target/release/guest_api
+  install_binary "$(pwd)/target/release/guest_api"
+  cd $my_location
+}
+
 create_archive() {
   local archive="detee-$(hostnamectl hostname)-${KERNEL}.cpio.gz"
   echo_cyan "Creating archive $archive"
diff --git a/init.sh b/init.sh
index e53d6dc..ccc803f 100755
--- a/init.sh
+++ b/init.sh
@@ -1,18 +1,24 @@
 #!/bin/bash
 source /init_functions.sh
+
+export INSTALL_URL="/tmp/detee_install_url"
+export INSTALL_SHA="/tmp/detee_install_sha"
+export ROOT_KEYFILE="/tmp/detee_root_keyfile"
+
 create_mounts
 load_modules
 create_certs
 setup_network
 
-# TODO: replace hardcoded URL with guest_api
-echo "http://192.168.122.226/arch_base_dir.fsa" > /tmp/install_url
-if [[ -f "/tmp/install_url" ]]; then 
+guest_api || echo DeTEE API got killed by the user.
+
+if [[ -f "$INSTALL_URL" ]]; then 
   install_os
 else
   mount_root
 fi
 
+# TODO: move ssh key to the guest API
 github_ssh_key
 
 exec switch_root /mnt /sbin/init "$@"
diff --git a/init_functions.sh b/init_functions.sh
index b16b5ea..38c2a26 100644
--- a/init_functions.sh
+++ b/init_functions.sh
@@ -66,11 +66,13 @@ setup_network() {
 }
 
 install_os() {
-  local url="$(cat /tmp/install_url)" hostname=''
-  blkid | grep vda1 | grep ext4 && {
+  local url="$(cat $INSTALL_URL)" hostname=''
+  # mount root if it exists
+  blkid | grep vda1 | grep LUKS && {
     mount_root
     return 0
   }
+  # install OS if disk is empty
   (
     echo n
     echo p
@@ -79,9 +81,12 @@ install_os() {
     echo 
     echo w
   ) | fdisk /dev/vda
-  mkfs.ext4 /dev/vda1
-  mount_root
+  cryptsetup luksFormat --batch-mode -d $ROOT_KEYFILE /dev/vda1
+  cryptsetup open -d $ROOT_KEYFILE /dev/vda1 root
+  mkfs.ext4 /dev/mapper/root
+  mount /dev/mapper/root /mnt
   wget -O /mnt/template.fsa "$url"
+  sha256sum /mnt/template.fsa | grep $(cat ${INSTALL_SHA}) || exit 1
   fsarchiver restdir /mnt/template.fsa /
   rm /mnt/template.fsa
   # TODO: decide for UX if maybe we should allow user to inject fstab
@@ -106,5 +111,6 @@ github_ssh_key() {
 }
 
 mount_root() {
-  mount /dev/vda1 /mnt
+  cryptsetup open -d $ROOT_KEYFILE /dev/vda1 root
+  mount /dev/mapper/root /mnt
 }