diff --git a/install b/install
index c4770a8..be2e6fe 100644
--- a/install
+++ b/install
@@ -1,14 +1,15 @@
 #!/bin/sh
 [ `id -u` -eq 0 ] || exit
 
+echo Disabling the pre-release service (if present)...
+systemctl disable vm-sudo-protect.service
+
 cp vm-boot-protect.sh /usr/lib/qubes/init
 chmod +x /usr/lib/qubes/init/vm-boot-protect.sh
 cp vm-boot-protect.service /lib/systemd/system
 systemctl daemon-reload
 systemctl enable vm-boot-protect.service
 
-echo Disabling the pre-release service (if present)...
-systemctl disable vm-sudo-protect.service
-
+echo
 echo vm-boot-protect installed!
 
diff --git a/vm-boot-protect.sh b/vm-boot-protect.sh
index 502f019..3bf77a6 100644
--- a/vm-boot-protect.sh
+++ b/vm-boot-protect.sh
@@ -77,11 +77,12 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
     cd /root
 
     # Deactivate private.img config dirs
+    mkdir -p `dirname $dir`/vm-boot-protect
     for dir in $privdirs; do
-        bakdir=`dirname $dir`/BAK-`basename $dir`
-        bak2dir=`dirname $dir`/BAK2-`basename $dir`
-        if [ -d $bakdir ] && [ ! -d $bak2dir ]; then
-            mv $bakdir $bak2dir
+        bakdir=`dirname $dir`/vm-boot-protect/BAK-`basename $dir`
+        origdir=`dirname $dir`/vm-boot-protect/ORIG-`basename $dir`
+        if [ -d $bakdir ] && [ ! -d $origdir ]; then
+            mv $bakdir $origdir
         fi
         rm -rf  $bakdir
         mv $dir $bakdir
@@ -119,6 +120,9 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
         if [ -d $defdir/$vmset/rw ]; then
             cp -af "$defdir/$vmset/rw/*" $rw
         fi
+        
+        # Keep configs invisible at runtime...
+        rm -rf $defdir/*
 
     done