diff --git a/core/startos/src/context/setup.rs b/core/startos/src/context/setup.rs
index de8dced07..999154977 100644
--- a/core/startos/src/context/setup.rs
+++ b/core/startos/src/context/setup.rs
@@ -100,18 +100,6 @@ impl SetupContext {
             .with_ctx(|_| (crate::ErrorKind::Filesystem, db_path.display().to_string()))?;
         Ok(db)
     }
-    #[instrument(skip_all)]
-    pub async fn secret_store(&self) -> Result<PgPool, Error> {
-        init_postgres(&self.datadir).await?;
-        let secret_store =
-            PgPool::connect_with(PgConnectOptions::new().database("secrets").username("root"))
-                .await?;
-        sqlx::migrate!()
-            .run(&secret_store)
-            .await
-            .with_kind(crate::ErrorKind::Database)?;
-        Ok(secret_store)
-    }
 
     pub fn run_setup<F, Fut>(&self, f: F) -> Result<(), Error>
     where
diff --git a/core/startos/src/disk/main.rs b/core/startos/src/disk/main.rs
index 3a13c5dca..73aca4010 100644
--- a/core/startos/src/disk/main.rs
+++ b/core/startos/src/disk/main.rs
@@ -168,7 +168,7 @@ pub async fn create_all_fs<P: AsRef<Path>>(
 
 #[instrument(skip_all)]
 pub async fn unmount_fs<P: AsRef<Path>>(guid: &str, datadir: P, name: &str) -> Result<(), Error> {
-    unmount(datadir.as_ref().join(name)).await?;
+    unmount(datadir.as_ref().join(name), false).await?;
     if !guid.ends_with("_UNENC") {
         Command::new("cryptsetup")
             .arg("-q")
diff --git a/core/startos/src/disk/mount/guard.rs b/core/startos/src/disk/mount/guard.rs
index d6e7e3da1..a2d577226 100644
--- a/core/startos/src/disk/mount/guard.rs
+++ b/core/startos/src/disk/mount/guard.rs
@@ -74,7 +74,7 @@ impl MountGuard {
     }
     pub async fn unmount(mut self, delete_mountpoint: bool) -> Result<(), Error> {
         if self.mounted {
-            unmount(&self.mountpoint).await?;
+            unmount(&self.mountpoint, false).await?;
             if delete_mountpoint {
                 match tokio::fs::remove_dir(&self.mountpoint).await {
                     Err(e) if e.raw_os_error() == Some(39) => Ok(()), // directory not empty
@@ -96,7 +96,7 @@ impl Drop for MountGuard {
     fn drop(&mut self) {
         if self.mounted {
             let mountpoint = std::mem::take(&mut self.mountpoint);
-            tokio::spawn(async move { unmount(mountpoint).await.unwrap() });
+            tokio::spawn(async move { unmount(mountpoint, true).await.unwrap() });
         }
     }
 }
diff --git a/core/startos/src/disk/mount/util.rs b/core/startos/src/disk/mount/util.rs
index e93ceb7dd..674f33304 100644
--- a/core/startos/src/disk/mount/util.rs
+++ b/core/startos/src/disk/mount/util.rs
@@ -23,7 +23,7 @@ pub async fn bind<P0: AsRef<Path>, P1: AsRef<Path>>(
         .status()
         .await?;
     if is_mountpoint.success() {
-        unmount(dst.as_ref()).await?;
+        unmount(dst.as_ref(), true).await?;
     }
     tokio::fs::create_dir_all(&src).await?;
     tokio::fs::create_dir_all(&dst).await?;
@@ -41,11 +41,14 @@ pub async fn bind<P0: AsRef<Path>, P1: AsRef<Path>>(
 }
 
 #[instrument(skip_all)]
-pub async fn unmount<P: AsRef<Path>>(mountpoint: P) -> Result<(), Error> {
+pub async fn unmount<P: AsRef<Path>>(mountpoint: P, lazy: bool) -> Result<(), Error> {
     tracing::debug!("Unmounting {}.", mountpoint.as_ref().display());
-    tokio::process::Command::new("umount")
-        .arg("-Rl")
-        .arg(mountpoint.as_ref())
+    let mut cmd = tokio::process::Command::new("umount");
+    cmd.arg("-R");
+    if lazy {
+        cmd.arg("-l");
+    }
+    cmd.arg(mountpoint.as_ref())
         .invoke(crate::ErrorKind::Filesystem)
         .await?;
     Ok(())
diff --git a/core/startos/src/init.rs b/core/startos/src/init.rs
index 7b944ebe3..e6b7be598 100644
--- a/core/startos/src/init.rs
+++ b/core/startos/src/init.rs
@@ -65,7 +65,7 @@ pub async fn init_postgres(datadir: impl AsRef<Path>) -> Result<(), Error> {
         .await?
         .success()
     {
-        unmount("/var/lib/postgresql").await?;
+        unmount("/var/lib/postgresql", true).await?;
     }
     let exists = tokio::fs::metadata(&db_dir).await.is_ok();
     if !exists {
diff --git a/core/startos/src/lxc/mod.rs b/core/startos/src/lxc/mod.rs
index 99f019d5a..8b8cab9a0 100644
--- a/core/startos/src/lxc/mod.rs
+++ b/core/startos/src/lxc/mod.rs
@@ -123,7 +123,11 @@ impl LxcManager {
             if !expected.contains(&ContainerId::try_from(container)?) {
                 let rootfs_path = Path::new(LXC_CONTAINER_DIR).join(container).join("rootfs");
                 if tokio::fs::metadata(&rootfs_path).await.is_ok() {
-                    unmount(Path::new(LXC_CONTAINER_DIR).join(container).join("rootfs")).await?;
+                    unmount(
+                        Path::new(LXC_CONTAINER_DIR).join(container).join("rootfs"),
+                        true,
+                    )
+                    .await?;
                     if tokio_stream::wrappers::ReadDirStream::new(
                         tokio::fs::read_dir(&rootfs_path).await?,
                     )