diff --git a/extension/src/setup/setup.ts b/extension/src/setup/setup.ts
index 903a157..20b38fe 100644
--- a/extension/src/setup/setup.ts
+++ b/extension/src/setup/setup.ts
@@ -769,6 +769,12 @@ function attachStep3New(): void {
       const encryptedManifest = w.manifest_encrypt(handle, manifestJson);
       log('manifest encrypted', { bytes: encryptedManifest.length });
 
+      stage = 'encrypt default settings';
+      log(stage);
+      const settingsJson = w.default_vault_settings_json();
+      const encryptedSettings = w.settings_encrypt(handle, settingsJson);
+      log('settings encrypted', { bytes: encryptedSettings.length });
+
       stage = 'push vault files';
       log(stage);
       const hostUrl = state.hostType === 'github' ? 'https://api.github.com' : state.hostUrl;
@@ -788,6 +794,13 @@ function attachStep3New(): void {
         'init: encrypted manifest',
       );
 
+      log('write settings.enc');
+      await host.writeFileCreateOnly(
+        'settings.enc',
+        new Uint8Array(encryptedSettings),
+        'init: encrypted settings',
+      );
+
       stage = 'release handle';
       w.lock(handle);
 
diff --git a/extension/src/wasm.d.ts b/extension/src/wasm.d.ts
index 513298a..2281bc7 100644
--- a/extension/src/wasm.d.ts
+++ b/extension/src/wasm.d.ts
@@ -40,6 +40,7 @@ declare module 'relicario-wasm' {
   export function item_encrypt(handle: SessionHandle, item_json: string): Uint8Array;
   export function settings_decrypt(handle: SessionHandle, encrypted: Uint8Array): unknown;
   export function settings_encrypt(handle: SessionHandle, settings_json: string): Uint8Array;
+  export function default_vault_settings_json(): string;
 
   export function attachment_encrypt(
     handle: SessionHandle,