diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf
index 557c153..5db851c 100644
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -51,10 +51,10 @@ locals {
       password_length = 32
     }
 
-    # Shared backup password
+    # Shared backup password (auto-generated, add alongside existing restic key)
     "shared/backup/password" = {
-      auto_generate = false
-      data          = { password = var.backup_helper_secret }
+      auto_generate   = true
+      password_length = 32
     }
 
     # NATS NKey for alerttonotify
diff --git a/terraform/vault/variables.tf b/terraform/vault/variables.tf
index d5055ef..5799067 100644
--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -16,12 +16,6 @@ variable "vault_skip_tls_verify" {
   default     = true
 }
 
-variable "backup_helper_secret" {
-  description = "Backup helper password (shared across hosts)"
-  type        = string
-  sensitive   = true
-}
-
 variable "nats_nkey" {
   description = "NATS NKey for alerttonotify"
   type        = string