diff --git a/NEW/src/JdeScoping.Core/Options/RsaKeyOptions.cs b/NEW/src/JdeScoping.Core/Options/RsaKeyOptions.cs
new file mode 100644
index 0000000..b9dbe96
--- /dev/null
+++ b/NEW/src/JdeScoping.Core/Options/RsaKeyOptions.cs
@@ -0,0 +1,15 @@
+namespace JdeScoping.Core.Options;
+
+/// <summary>
+/// Configuration options for RSA key service.
+/// </summary>
+public class RsaKeyOptions
+{
+    public const string SectionName = "RsaKey";
+
+    /// <summary>
+    /// Path to store the RSA private key file.
+    /// Defaults to "data/rsa-key.bin" relative to app directory.
+    /// </summary>
+    public string KeyFilePath { get; set; } = "data/rsa-key.bin";
+}
diff --git a/NEW/src/JdeScoping.Infrastructure/DependencyInjection.cs b/NEW/src/JdeScoping.Infrastructure/DependencyInjection.cs
index 0290249..8647db9 100644
--- a/NEW/src/JdeScoping.Infrastructure/DependencyInjection.cs
+++ b/NEW/src/JdeScoping.Infrastructure/DependencyInjection.cs
@@ -1,6 +1,8 @@
 using JdeScoping.Core.Interfaces;
 using JdeScoping.Core.Options;
 using JdeScoping.Infrastructure.Auth;
+using JdeScoping.Infrastructure.Options;
+using JdeScoping.Infrastructure.Security;
 using JdeScoping.Infrastructure.Sources.Cms;
 using JdeScoping.Infrastructure.Sources.Jde;
 using Microsoft.Extensions.Configuration;
@@ -25,8 +27,6 @@ public static class InfrastructureDependencyInjection
         // Bind configuration
         services.Configure<DataSourceOptions>(
             configuration.GetSection(DataSourceOptions.SectionName));
-        services.Configure<AuthOptions>(
-            configuration.GetSection(AuthOptions.SectionName));
         services.Configure<LdapOptions>(
             configuration.GetSection(LdapOptions.SectionName));
 
@@ -47,11 +47,11 @@ public static class InfrastructureDependencyInjection
         }
 
         // Register auth service based on configuration
-        var authOptions = configuration
-            .GetSection(AuthOptions.SectionName)
-            .Get<AuthOptions>();
+        var ldapOptions = configuration
+            .GetSection(LdapOptions.SectionName)
+            .Get<LdapOptions>();
 
-        if (authOptions?.UseFakeAuth == true)
+        if (ldapOptions?.UseFakeAuth == true)
         {
             services.AddScoped<IAuthService, FakeAuthService>();
         }
@@ -60,6 +60,20 @@ public static class InfrastructureDependencyInjection
             services.AddScoped<IAuthService, LdapAuthService>();
         }
 
+        // Register RSA key service for login encryption
+        services.Configure<RsaKeyOptions>(
+            configuration.GetSection(RsaKeyOptions.SectionName));
+
+        var rsaKeyOptions = configuration
+            .GetSection(RsaKeyOptions.SectionName)
+            .Get<RsaKeyOptions>() ?? new RsaKeyOptions();
+
+        var keyPath = Path.IsPathRooted(rsaKeyOptions.KeyFilePath)
+            ? rsaKeyOptions.KeyFilePath
+            : Path.Combine(AppContext.BaseDirectory, rsaKeyOptions.KeyFilePath);
+
+        services.AddSingleton<IRsaKeyService>(new RsaKeyService(keyPath));
+
         return services;
     }
 }