diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..dfb8373
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+php/env.php
diff --git a/admin.php b/admin.php
index f9a3403..3820873 100644
--- a/admin.php
+++ b/admin.php
@@ -2,8 +2,6 @@
 
 require_once 'php/config.inc.php';
 
-$password = "sexworkiswork";
-
 define('FORMCONTENTS', '<form method="post">
 		<p>Password: <input type="password" name="password"> <input type="submit" class="button-primary" value="Download encrypted submissions"></p>
 		</form>');
@@ -30,7 +28,7 @@ if (count($ADMIN_IPS) > 0 && array_search($ip, $ADMIN_IPS) === false) {
 	include footer;
 } else {
 	if (isset($_POST) && isset($_POST['password'])) {
-		if ($_POST['password'] === $password) {
+		if ($_POST['password'] === DL_PASS) {
 			header('Content-Type: application/octet-stream');
 			header("Content-Transfer-Encoding: Binary"); 
 			header("Content-disposition: attachment; filename=\"submissions.dat\""); 
diff --git a/index.php b/index.php
index df54247..4aa3908 100755
--- a/index.php
+++ b/index.php
@@ -1,4 +1,4 @@
-<?php
+	<?php
 
 session_start();
 require_once 'php/config.inc.php';
@@ -15,7 +15,7 @@ if (isset($_POST) && count($_POST)>0) {
 	$data = json_encode($_POST);
 
 	// pubkey is a base64-encoded key generated by sodium_crypto_box_keypair
-	$pubKey = base64_decode(file_get_contents("key.public"));
+	$pubKey = base64_decode(file_get_contents(PK_FILE));
 
 	// for now, data is stored by encrypting each submission individually, base64 encoding it,
 	// and appending it as a separate line onto the end of the data file (prepending with a
diff --git a/php/config.inc.php b/php/config.inc.php
index a856334..0231065 100644
--- a/php/config.inc.php
+++ b/php/config.inc.php
@@ -1,7 +1,9 @@
 <?php
 
+require_once 'env.php';
+
 // This is the submissions file -- it should not be in your web directory!!!
-define('FILE', '/var/www/data/lockbox.dat');
+define('FILE', $conf_vars['LB_FILE']);
 
 // Page/form title
 define('MSG_TITLE', 'Lockbox by Open Privacy');
@@ -22,18 +24,16 @@ define('MSG_FAIL', '
 define('MSG_FOOTER', '&copy;2020 <a href="https://openprivacy.ca/" target="_blank">Our Awesome Org</a> - All rights reserved. Form powered by <a href="https://git.openprivacy.ca/openprivacy/lockbox" target="_blank">Lockbox</a> by <a href="https://openprivacy.ca" target="_blank">Open Privacy</a>');
 
 // restrict the (optional) admin form to these IPs
-$ADMIN_IPS = array(
-/*	"1.2.3.501", // erinn
-        "9.5.1.06", // sarah
-        "92.102.94.l" // dan*/
-);
+$ADMIN_IPS = $ips;
 
 // if you would like you disable the IP check (not recommended!) you can use this line instead:
 // $ADMIN_IPS = array();
 
 // password for downloading submissions from the admin form
-define('DL_PASS', "");
+define('DL_PASS', $conf_vars['LB_DL_PASS']);
 
+// This is the path to the public key file
+define(PK_FILE, $_SERVER['DOCUMENT_ROOT']."/".$conf_vars['LB_PUBKEY_FILE']);
 
 // ============ include file locations -- you shouldn't need to change below this line
 
diff --git a/php/env.example.php b/php/env.example.php
new file mode 100644
index 0000000..a73f928
--- /dev/null
+++ b/php/env.example.php
@@ -0,0 +1,16 @@
+<?php
+
+$conf_vars = [
+    'LB_DL_PASS' => '',
+    'LB_FILE' => '/var/www/data/lockbox.dat', // This is the submissions file -- it should not be in your web directory!!!
+    'LB_PUBKEY_FILE' => 'lockbox-web/key.public' // Public key file location relative to the website root (i.e., $_SERVER['DOCUMENT_ROOT'])
+];
+
+// restrict the (optional) admin form to these IPs
+$ips = array(
+/*  "127.0.0.1",
+    "192.168.0.0", 
+    "172.16.0.0" */
+);
+
+?>
\ No newline at end of file