diff --git a/.gitignore b/.gitignore
index 710f5fe..c0383d0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,12 +10,9 @@ stack.yaml.lock
 # yesod
 static/tmp/
 static/combined/
-config/client_session_key.aes
+state/client_session_key.aes
 yesod-devel/
 
 # vervis
-config/settings.yml
-config/ssh-host-key
-config/ssh-host-key.pub
 lib/
 state/
diff --git a/INSTALL.md b/INSTALL.md
index 2665392..df0131a 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -104,13 +104,13 @@ Create a directory to hold mutable application state:
 
 Generate a new SSH key with a blank password:
 
-    $ ssh-keygen -t rsa -m PEM -f config/ssh-host-key
+    $ ssh-keygen -t rsa -m PEM -f state/ssh-host-key
 
 Update the settings to specify correct database connection details and other
 settings.
 
-    $ cp config/settings-default.yaml config/settings.yml
-    $ vim config/settings.yml
+    $ cp settings-default.yaml state/settings.yml
+    $ vim state/settings.yml
 
 Create a directory that will keep all the VCS repositories hosted by Vervis.
 Its name should match the `repo-dir` setting in `config/settings.yml`. For
diff --git a/config/settings-default.yaml b/settings-default.yaml
similarity index 97%
rename from config/settings-default.yaml
rename to settings-default.yaml
index 63a91b7..49aa9d4 100644
--- a/config/settings-default.yaml
+++ b/settings-default.yaml
@@ -20,9 +20,6 @@ ip-from-header: "_env:IP_FROM_HEADER:false"
 # you deploy an instance.
 instance-host:  "_env:INSTANCE_HOST:localhost"
 
-# Encryption key file for encrypting the session cookie sent to clients
-client-session-key:     config/client_session_key.aes
-
 # How much time after the last request it takes for the session cookie to
 # expire
 client-session-timeout:
@@ -92,7 +89,6 @@ diff-context-lines: 5
 ###############################################################################
 
 ssh-port:     5022
-ssh-key-file: config/ssh-host-key
 
 ###############################################################################
 # Accounts
diff --git a/src/Vervis/Application.hs b/src/Vervis/Application.hs
index 379dfc2..bfce592 100644
--- a/src/Vervis/Application.hs
+++ b/src/Vervis/Application.hs
@@ -165,6 +165,9 @@ moveFileIfExists from to = do
     exists <- doesFileExist from
     when exists $ renameFile from to
 
+settingsYml :: FilePath
+settingsYml = "state/settings.yml"
+
 -- This line actually creates our YesodDispatch instance. It is the second half
 -- of the call to mkYesodData which occurs in Foundation.hs. Please see the
 -- comments there for more details.
@@ -461,7 +464,7 @@ getApplicationDev = do
     return (wsettings, app)
 
 getAppSettings :: IO AppSettings
-getAppSettings = loadYamlSettings [configSettingsYml] [] useEnv
+getAppSettings = loadYamlSettings [settingsYml] [] useEnv
 
 -- | main function for use by yesod devel
 develMain :: IO ()
@@ -552,10 +555,13 @@ fillPermitRecords = do
 -- | The @main@ function for an executable running this site.
 appMain :: IO ()
 appMain = do
+    -- Remove in 2025
+    moveFileIfExists "config/settings.yml" "state/settings.yml"
+
     -- Get the settings from all relevant sources
     settings <- loadYamlSettings
         -- Read settings from the settings file
-        [configSettingsYml]
+        [settingsYml]
 
         -- Fall back to compile-time values, set to [] to require values at
         -- runtime
diff --git a/src/Vervis/Foundation.hs b/src/Vervis/Foundation.hs
index d9fded6..403a822 100644
--- a/src/Vervis/Foundation.hs
+++ b/src/Vervis/Foundation.hs
@@ -41,6 +41,7 @@ import Database.Persist.Sql (ConnectionPool)
 import Fcf (Eval, Map)
 import Network.HTTP.Client (Manager, HasHttpManager (..))
 import Network.HTTP.Types.Header
+import System.FilePath ((</>))
 import Text.Shakespeare.Text (textFile)
 import Text.Hamlet          (hamletFile)
 --import Text.Jasmine         (minifym)
@@ -222,7 +223,7 @@ instance Yesod App where
         let s = appSettings app
             t = fromIntegral
                     (toTimeUnit $ appClientSessionTimeout s :: U.Minute)
-            k = appClientSessionKeyFile s
+            k = appStateDir s </> "client_session_key.aes"
         in  Just <$> defaultClientSessionBackend t k
 
     -- Yesod Middleware allows you to run code before and after each handler function.
diff --git a/src/Vervis/Migration.hs b/src/Vervis/Migration.hs
index c5d139f..e62ae80 100644
--- a/src/Vervis/Migration.hs
+++ b/src/Vervis/Migration.hs
@@ -3952,6 +3952,11 @@ changes hLocal ctx =
         moveFileIfExists "delivery-counter.sqlite3" "state/delivery-counter.sqlite3"
         moveFileIfExists "delivery-counter.sqlite3-shm" "state/delivery-counter.sqlite3-shm"
         moveFileIfExists "delivery-counter.sqlite3-wal" "state/delivery-counter.sqlite3-wal"
+      -- 669
+    , unchecked $ lift $ liftIO $ do
+        moveFileIfExists "config/ssh-host-key" "state/ssh-host-key"
+        moveFileIfExists "config/ssh-host-key.pub" "state/ssh-host-key.pub"
+        moveFileIfExists "config/client_session_key.aes" "state/client_session_key.aes"
     ]
 
 migrateDB
diff --git a/src/Vervis/Settings.hs b/src/Vervis/Settings.hs
index 9d0eaf6..81ca181 100644
--- a/src/Vervis/Settings.hs
+++ b/src/Vervis/Settings.hs
@@ -106,8 +106,6 @@ data AppSettings = AppSettings
       -- behind a reverse proxy.
     , appIpFromHeader           :: Bool
 
-      -- | Path of session cookie encryption key file
-    , appClientSessionKeyFile   :: FilePath
       -- | Idle timeout for session cookie expiration
     , appClientSessionTimeout   :: TimeInterval
 
@@ -142,8 +140,6 @@ data AppSettings = AppSettings
     , appPostApplyHookFile      :: FilePath
       -- | Port for the SSH server component to listen on
     , appSshPort                :: Int
-      -- | Path to the server's SSH private key file
-    , appSshKeyFile             :: FilePath
       -- | Whether new user accounts can be created.
     , appRegister               :: Bool
       -- | The maximal number of user accounts that can be registered.
@@ -230,7 +226,6 @@ instance FromJSON AppSettings where
         let appPort = fromIntegral port
         appIpFromHeader           <- o .: "ip-from-header"
 
-        appClientSessionKeyFile   <- o .: "client-session-key"
         appClientSessionTimeout   <- interval <$> o .: "client-session-timeout"
 
         appHttpSigTimeLimit       <- interval <$> o .: "request-time-limit"
@@ -249,7 +244,6 @@ instance FromJSON AppSettings where
         appPostReceiveHookFile    <- o .:? "post-receive-hook" .!= detectedHookFile
         appPostApplyHookFile      <- o .:? "post-apply-hook" .!= detectedDarcsHookFile
         appSshPort                <- o .: "ssh-port"
-        appSshKeyFile             <- o .: "ssh-key-file"
         appRegister               <- o .: "registration"
         appAccounts               <- o .: "max-accounts"
         appEmailVerification      <- o .:? "email-verification" .!= not defaultDev
diff --git a/src/Vervis/Ssh.hs b/src/Vervis/Ssh.hs
index bbedb04..da463b7 100644
--- a/src/Vervis/Ssh.hs
+++ b/src/Vervis/Ssh.hs
@@ -360,7 +360,7 @@ mkConfig
     -> TVar (HashMap RepoId (Ref Repo))
     -> IO (Config SessionBase ChannelBase UserAuthId)
 mkConfig settings ctx pool logFunc theater reposVar = do
-    keyPair <- keyPairFromFile $ appSshKeyFile settings
+    keyPair <- keyPairFromFile $ appStateDir settings </> "ssh-host-key"
     return $ Config
         { cSession     = SessionConfig
             { scAuthMethods  = ["publickey"]