diff --git a/docs/source/secrets-guidelines.md b/docs/source/secrets-guidelines.md
index c19ff5fea..972b77c37 100644
--- a/docs/source/secrets-guidelines.md
+++ b/docs/source/secrets-guidelines.md
@@ -12,7 +12,7 @@ Airshipctl uses kustomize along with different krm-functions that extend its fun
 Replacement krm-function that is needed to avoid duplication of data in documents
 Templater krm-function that is needed to produce new yaml documents based on the provided parameters.
 There is a standard catalog of [krm-functions](https://github.com/GoogleContainerTools/kpt-functions-catalog).
-It includes the standard krm-function: `gcr.io/kpt-functions/sops` that can be used to perform decryption and encryption right in kustomize. Please refer to the example configurations that can be used to encrypt and decrypt the set of [existing yamls](https://github.com/GoogleContainerTools/kpt-functions-catalog/blob/master/examples/sops/local-configs/function.yaml).
+It includes the standard krm-function: `gcr.io/kpt-fn-contrib/sops` that can be used to perform decryption and encryption right in kustomize. Please refer to the example configurations that can be used to encrypt and decrypt the set of [existing yamls](https://github.com/GoogleContainerTools/kpt-functions-catalog/blob/master/examples/contrib/sops/function.yaml).
 
 Please note that to make that krm-function work it’s necessary to provide the following ENV variables:
 
@@ -57,9 +57,11 @@ In order to implement all that functionality it was necessary to introduce a new
 
 Krm-functions accept a set of yamls and config as input and return a modified set of yamls.
 GenericContainer executor may just output it to stdout. Or it may store it as `kpt fn sink` does.
-In particular we’re using the second option to store our generated and encrypted yamls to the specific place from which other manifests will take [that file](manifests/site/test-site/target/generator/results/generated/secrets.yaml).
+In particular we’re using the second option to store our generated and encrypted yamls to the specific place from which other manifests will take [that file](manifests/site/test-site/target/encrypted/results/generated/secrets.yaml).
 
-As it’s possible to see [generator kustomization](manifests/site/test-site/target/generator/results/kustomization.yaml) performs decryption using sops krm-function.
+There is a way to provide external secrets, that shouldn't be generated. That secrets must be stored in encrypted way in [another file](manifests/site/test-site/target/encrypted/results/imported/secrets.yaml).
+
+As it’s possible to see [encrypted kustomization](manifests/site/test-site/target/encrypted/results/kustomization.yaml) performs decryption using sops krm-function.
 
 # Step-by-step Operator instructions
 
@@ -130,7 +132,7 @@ We hope that it won’t be necessary to do these actions manually, because airsh
 sops <file name>
 ```
 
-This will decrypt the file and will open it in the editor. It will be possible to perform needed modifications. Once finished just close the editor and sops will encrypt the modified document and put it back. This may be a really-really useful command for some users and very simple at the same time.
+This will decrypt the file and will open it in the editor. It will be possible to perform needed modifications. Once finished just close the editor and sops will encrypt the modified document and put it back. This may be a really-really useful command for some users and very simple at the same time. This approach may be used in order to modify [imported secrets](manifests/site/test-site/target/encrypted/results/imported/secrets.yaml).
 
 ## Generation/Regeneration and encryption of secrets in manifests
 
@@ -167,8 +169,6 @@ This config file defines the following structure of VariableCatalogue:
     labels:
       airshipit.org/deploy-k8s: "false"
     name: generated-secrets
-    annotations:
-      config.kubernetes.io/path: secrets.yaml
   ephemeralClusterCa:...
   ephemeralKubeconfig:..
   targetClusterCa:...
@@ -180,6 +180,8 @@ Please pay attention to the annotation `config.kubernetes.io/path` - it defines
 
 When this template is executed it generates keys/certs/passwords and renders them as a Variable catalog with the name `generated-secrets`.
 
+Please pay attention that the special annotation `config.kubernetes.io/path` is getting added in the fileplacement transformer - it defines the name of the file where this document will be stored by phase. It’s possible to define several VariableCatalogues with unique names of files (it even may contain directories).
+
 Now if we refer back to the Phase descritption we’ll see that it’s type is GenericContainer with the name `encrypter`.
 
 The definition of that executor is the following:
@@ -192,7 +194,7 @@ metadata:
   labels:
     airshipit.org/deploy-k8s: "false"
 spec:
-  sinkOutputDir: "target/generator/results/generated"
+  sinkOutputDir: "target/generator/results"
   image: gcr.io/kpt-fn-contrib/sops:v0.1.0
   envVars:
   - SOPS_IMPORT_PGP
@@ -205,28 +207,29 @@ config: |
     unencrypted-regex: '^(kind|apiVersion|group|metadata)$'
 ```
 
-Basically this executor accepts the bundle, runs krm-function `gcr.io/kpt-fn-contrib/sops:v0.1.0` with configuration from `config` field and stores the result to the directory `target/generator/results/generated` based on the filenames/hierarchy defined by annotation `config.kubernetes.io/path`. Sops krm-function in its turn encrypts documents and that means that `target/generator/results/generated` will contain encrypted yamls. To make that work the user will need just to specify 2 environment variables:
+Basically this executor accepts the bundle, runs krm-function `gcr.io/kpt-fn-contrib/sops:v0.1.0` with configuration from `config` field and stores the result to the directory `target/generator/results` based on the filenames/hierarchy defined by annotation `config.kubernetes.io/path`. Sops krm-function in its turn encrypts documents and that means that `target/generator/results/` will contain encrypted yamls. To make that work the user will need just to specify 2 environment variables:
 
 - `SOPS_IMPORT_PGP`
 - `SOPS_PGP_FP`
 
-Possible option how to encrypt `externally provided secrets`
-First of all - it’s possible to make as many phases as needed, each phase will cover its separate procedure, e.g.: change of LDAP credentials, update some external passwords.
+Possible option how to encrypt `externally provided secrets`:
+This feature is already in place - it's possible to update improted secrtets manually.
+Futher possible improvements are to make as many phases as needed, each phase will cover its separate procedure, e.g.: change of LDAP credentials, update some external passwords.
 The only limitation is that each procedure has to have it’s own VariableCatalogues - that just allows not to decrypte/re-encrypt values from all VariableCatalogues.
 
-For `Externally provided secrets` we should use some unencrypted VariableCatalogue as a resource instead of templater. The encryption executor configuration will look the same.
+We should use some unencrypted VariableCatalogue as a resource and be able to encrypt that and put to imported secrets.
 
 Moreover, it’s possible to combine several secret sources in 1 phase, e.g. if we need to encrypt generated and externally provided secrets, just create another directory with kustomization, and put there different resources:
 
 1. Local files with `externally provided secrets` in form of unencrypted variable catalogues
-2. Directory `target/generator`.
+2. Directory `target/encrypted`.
 
 Update phase’s documentEntryPoint with the new path to the created directory. Now when you run the phase - all these files along with newly generated secrets will be encrypted.
 
 ## Decryption of secrets and using them
 
 The current implementation of manifests doesn’t require explicit decryption of files. All secrets are decrypted on the spot. Here are the details of how it was achieved:
-All encrypted documents are listed in the [following kustomization file](https://github.com/airshipit/airshipctl/blob/master/manifests/site/test-site/target/generator/results/kustomization.yaml).
+All encrypted documents are listed in the [following kustomization file](https://github.com/airshipit/airshipctl/blob/master/manifests/site/test-site/target/encrypted/results/kustomization.yaml).
 This kustomization file performs decryption by invoking `decrypt-secrets` transformer, that is just a sops krm-function configuration that decrypts all encrypted documents.
 Note: we made a special kustomization for decrypt-secrets configuration just to be able to modify it a bit depending on the environment variable `TOLERATE_DECRYPTION_FAILURES` value. If it’s true we’re adding parameter `cmd-tolerate-failures: true` to sops configuration.
 
diff --git a/manifests/function/generate-secrets-example/README.md b/manifests/function/generate-secrets-example/README.md
index 3ed97bf27..75d10d2c8 100644
--- a/manifests/function/generate-secrets-example/README.md
+++ b/manifests/function/generate-secrets-example/README.md
@@ -14,7 +14,7 @@ mark it with `deploy-k8s: true` annotation.
 Make a copy of this folder to the appropraite site for which secrets has to
 be generated and then edit the [secret-generation.yaml](secret-generation.yaml)
 with the required secret generation details.
-For example refer to [generator](../../site/test-site/target/generator/) folder.
+For example refer to [generator](../../site/test-site/target/encrypted/) folder.
 
 Once the secret definitions are in place in the site manifests, we can
 add a new phase to generate secrets pointing to the folder in site manifests.
@@ -30,7 +30,7 @@ config:
     apiVersion: airshipit.org/v1alpha1
     kind: GenericContainer
     name: encrypter
-  documentEntryPoint: target/generator
+  documentEntryPoint: target/encrypted
 ```
 
 The executorRef is of `kind: GenericContainer` and should also have the
@@ -44,7 +44,7 @@ metadata:
   name: encrypter
   labels:
     airshipit.org/deploy-k8s: "false"
-kustomizeSinkOutputDir: "target/generator/results/generated"
+kustomizeSinkOutputDir: "target/encrypted/results/generated"
 spec:
   container:
     image: gcr.io/kpt-fn-contrib/sops:v0.1.0
@@ -98,7 +98,7 @@ metadata:
   name: encrypter
   labels:
     airshipit.org/deploy-k8s: "false"
-kustomizeSinkOutputDir: "target/generator/results/generated"
+kustomizeSinkOutputDir: "target/encrypted/results/generated"
 spec:
   container:
     image: quay.io/airshipit/templater:v2
@@ -109,7 +109,7 @@ config: |
 ## Decrypt to read the secrets
 
 To decrypt the secrets for readability purposes run the kustomize build
-command on the generated secrets folder with the [kustomization.yaml](../../site/test-site/target/generator/results/kustomization.yaml) and [decrypt-secrets.yaml](../../site/test-site/target/generator/results/decrypt-secrets.yaml)
+command on the generated secrets folder with the [kustomization.yaml](../../site/test-site/target/encrypted/results/kustomization.yaml) and [decrypt-secrets.yaml](../../site/test-site/target/encrypted/results/decrypt-secrets.yaml)
 files in place in the same folder.
 
 Kustomize command to decrypt:
diff --git a/manifests/function/hardwareprofile-example/cleanup/kustomization.yaml b/manifests/function/hardwareprofile-example/cleanup/kustomization.yaml
deleted file mode 100644
index d3b152c8f..000000000
--- a/manifests/function/hardwareprofile-example/cleanup/kustomization.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-resources:
-- smp.yaml
diff --git a/manifests/function/hardwareprofile-example/cleanup/smp.yaml b/manifests/function/hardwareprofile-example/cleanup/smp.yaml
deleted file mode 100644
index f013b823e..000000000
--- a/manifests/function/hardwareprofile-example/cleanup/smp.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: builtin
-kind: PatchStrategicMergeTransformer
-metadata:
-  name: smp-hwparofile
-patches: |-
-  ---
-  apiVersion: airshipit.org/v1alpha1
-  kind: VariableCatalogue
-  metadata:
-    name: hardwareprofile-example
-  $patch: delete
diff --git a/manifests/function/hostgenerator-m3/cleanup/kustomization.yaml b/manifests/function/hostgenerator-m3/cleanup/kustomization.yaml
deleted file mode 100644
index d3b152c8f..000000000
--- a/manifests/function/hostgenerator-m3/cleanup/kustomization.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-resources:
-- smp.yaml
diff --git a/manifests/phases/executors.yaml b/manifests/phases/executors.yaml
index 23f9ec8f6..3eb54f16b 100644
--- a/manifests/phases/executors.yaml
+++ b/manifests/phases/executors.yaml
@@ -55,7 +55,7 @@ metadata:
     airshipit.org/deploy-k8s: "false"
 spec:
   type: krm
-  sinkOutputDir: "target/generator/results/generated"
+  sinkOutputDir: "target/encrypted/results"
   image: gcr.io/kpt-fn-contrib/sops:v0.1.0
   envVars:
     - SOPS_IMPORT_PGP
diff --git a/manifests/phases/phases.yaml b/manifests/phases/phases.yaml
index e3a5410e8..e2c4dfda5 100644
--- a/manifests/phases/phases.yaml
+++ b/manifests/phases/phases.yaml
@@ -224,7 +224,7 @@ config:
     apiVersion: airshipit.org/v1alpha1
     kind: GenericContainer
     name: encrypter
-  documentEntryPoint: target/generator
+  documentEntryPoint: target/encrypted/generator
 ---
 apiVersion: airshipit.org/v1alpha1
 kind: Phase
@@ -235,7 +235,7 @@ config:
     apiVersion: airshipit.org/v1alpha1
     kind: GenericContainer
     name: decrypter
-  documentEntryPoint: target/generator/results
+  documentEntryPoint: target/encrypted/results
 ---
 apiVersion: airshipit.org/v1alpha1
 kind: Phase
@@ -246,7 +246,7 @@ config:
     apiVersion: airshipit.org/v1alpha1
     kind: GenericContainer
     name: encrypter
-  documentEntryPoint: target/generator/results
+  documentEntryPoint: target/encrypted/results
 ---
 apiVersion: airshipit.org/v1alpha1
 kind: Phase
diff --git a/manifests/site/test-site/target/catalogues/kustomization.yaml b/manifests/site/test-site/target/catalogues/kustomization.yaml
index 0b2a0b430..27804446d 100644
--- a/manifests/site/test-site/target/catalogues/kustomization.yaml
+++ b/manifests/site/test-site/target/catalogues/kustomization.yaml
@@ -4,7 +4,7 @@ kind: Kustomization
 resources:
   - ../../../../type/gating/shared/catalogues
   - hosts.yaml
-  - ../generator/results
+  - ../encrypted/results
 
 patchesStrategicMerge:
   - versions-airshipctl.yaml
diff --git a/manifests/site/test-site/target/generator/README.md b/manifests/site/test-site/target/encrypted/README.md
similarity index 100%
rename from manifests/site/test-site/target/generator/README.md
rename to manifests/site/test-site/target/encrypted/README.md
diff --git a/manifests/site/test-site/target/generator/kustomization.yaml b/manifests/site/test-site/target/encrypted/generator/kustomization.yaml
similarity index 100%
rename from manifests/site/test-site/target/generator/kustomization.yaml
rename to manifests/site/test-site/target/encrypted/generator/kustomization.yaml
diff --git a/manifests/site/test-site/target/encrypted/generator/overridegeneration/kustomization.yaml b/manifests/site/test-site/target/encrypted/generator/overridegeneration/kustomization.yaml
new file mode 100644
index 000000000..49f9e642c
--- /dev/null
+++ b/manifests/site/test-site/target/encrypted/generator/overridegeneration/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- ../../../../../../type/gating/target/generator/
diff --git a/manifests/site/test-site/target/encrypted/generator/overrideplacement/kustomization.yaml b/manifests/site/test-site/target/encrypted/generator/overrideplacement/kustomization.yaml
new file mode 100644
index 000000000..171142bb9
--- /dev/null
+++ b/manifests/site/test-site/target/encrypted/generator/overrideplacement/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - ../../../../../../type/gating/target/generator/fileplacement
diff --git a/manifests/site/test-site/target/encrypted/importer/overrideplacement/kustomization.yaml b/manifests/site/test-site/target/encrypted/importer/overrideplacement/kustomization.yaml
new file mode 100644
index 000000000..8991cff06
--- /dev/null
+++ b/manifests/site/test-site/target/encrypted/importer/overrideplacement/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - ../../../../../../type/gating/target/importer/fileplacement
diff --git a/manifests/site/test-site/target/generator/results/decrypt-secrets/configurable-decryption.yaml b/manifests/site/test-site/target/encrypted/results/decrypt-secrets/configurable-decryption.yaml
similarity index 100%
rename from manifests/site/test-site/target/generator/results/decrypt-secrets/configurable-decryption.yaml
rename to manifests/site/test-site/target/encrypted/results/decrypt-secrets/configurable-decryption.yaml
diff --git a/manifests/site/test-site/target/generator/results/decrypt-secrets/kustomization.yaml b/manifests/site/test-site/target/encrypted/results/decrypt-secrets/kustomization.yaml
similarity index 100%
rename from manifests/site/test-site/target/generator/results/decrypt-secrets/kustomization.yaml
rename to manifests/site/test-site/target/encrypted/results/decrypt-secrets/kustomization.yaml
diff --git a/manifests/site/test-site/target/generator/results/generated/secrets.yaml b/manifests/site/test-site/target/encrypted/results/generated/secrets.yaml
similarity index 100%
rename from manifests/site/test-site/target/generator/results/generated/secrets.yaml
rename to manifests/site/test-site/target/encrypted/results/generated/secrets.yaml
diff --git a/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml b/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml
new file mode 100644
index 000000000..a85210904
--- /dev/null
+++ b/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml
@@ -0,0 +1,33 @@
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+    labels:
+        airshipit.org/deploy-k8s: "false"
+    name: imported-secrets
+dummySecrets: ENC[AES256_GCM,data:wksRVJ1SVPJ8wIcnVA00,iv:wt6FmbfFh+31g/pBcTTlerrwHoUoF8Hv3Cw9q//bSWs=,tag:PTidwzah8PiqAtGnYSa1+w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-04-14T16:28:51Z"
+    mac: ENC[AES256_GCM,data:sHiCLqMg7TU4eXgThM5q+0Jq67uWoDunk1AbTqXOCKUA9gBHtKflgfgxLvhz8am7pOGf/i8UikFJx5Gb/TiAyf4GGKsfFbKDXc+JwnMYbKoibRJ1cxfRKgcwXdCohcb1g4bSiX2iHmEaVKHlF5ydvfn1OMWR5hQpavSgrb8JemA=,iv:3fg3EgYQjaLCluTL9Yu1axyucAOWwH0SREQMyvMeuak=,tag:lhA5n06vB2adYiv+cGskuA==,type:str]
+    pgp:
+        - created_at: "2021-04-14T16:28:50Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAXrMxHATnkcDVixx+LpHMRFZeEnJsnKhFMkYIC+fhtpJD
+            V73hTSSBhbFTlko81oBohS151qNrS1qtVbOhS5anlTOrgZnZ2Fmwt7YIxc68xbhO
+            1fX8XbDAU2NmtWSdmc9sFLCrnpKakHuJfq6PMii8Cga126K7Smt62XuyFWw7r1Z+
+            gyJXgIE2c1GNZmgKhhPgcVBZuyGr6x1Ml4t6qPqMTn1af64T4co+ujI0n1n3dXie
+            p/xCPD2QrI1DSMZgvJzPf8SVUD9jh70LUGJR4fY4U1kTazs/K1JwrPLSH/rWStUA
+            +MNtXkitYzQa4KH4Zr+3rEH6pC8ezgtntT99Wkj8g9LmAcyF+naWCh0Akaui+UNJ
+            21DterDBlRsuJWUgFB54Kw+rSh7T1E4XbZzGQrb86EtCx9+gtPaRJoGYBi98wWAR
+            MORhPC2ylZX46XzMj9DTfMN44rvitTcA
+            =mdwS
+            -----END PGP MESSAGE-----
+          fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_regex: ^(kind|apiVersion|group|metadata)$
+    version: 3.7.1
diff --git a/manifests/site/test-site/target/encrypted/results/kustomization.yaml b/manifests/site/test-site/target/encrypted/results/kustomization.yaml
new file mode 100644
index 000000000..48884fbb7
--- /dev/null
+++ b/manifests/site/test-site/target/encrypted/results/kustomization.yaml
@@ -0,0 +1,8 @@
+resources:
+  - generated/secrets.yaml
+  - imported/secrets.yaml
+
+transformers:
+  - decrypt-secrets
+  - ../generator/overrideplacement
+  - ../importer/overrideplacement
diff --git a/manifests/site/test-site/target/generator/overridegeneration/kustomization.yaml b/manifests/site/test-site/target/generator/overridegeneration/kustomization.yaml
deleted file mode 100644
index cda38072d..000000000
--- a/manifests/site/test-site/target/generator/overridegeneration/kustomization.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-resources:
-- ../../../../../type/gating/target/generator/
diff --git a/manifests/site/test-site/target/generator/overrideplacement/kustomization.yaml b/manifests/site/test-site/target/generator/overrideplacement/kustomization.yaml
deleted file mode 100644
index a3a8f3560..000000000
--- a/manifests/site/test-site/target/generator/overrideplacement/kustomization.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-resources:
-- ../../../../../type/gating/target/generator/fileplacement
diff --git a/manifests/site/test-site/target/generator/results/kustomization.yaml b/manifests/site/test-site/target/generator/results/kustomization.yaml
deleted file mode 100644
index 32adc7de9..000000000
--- a/manifests/site/test-site/target/generator/results/kustomization.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-resources:
-  - generated/secrets.yaml
-
-transformers:
-  - decrypt-secrets
-  - ../overrideplacement
diff --git a/manifests/type/gating/target/generator/fileplacement/filepaths.yaml b/manifests/type/gating/target/generator/fileplacement/filepaths.yaml
index 0f9e9f633..a7719d923 100644
--- a/manifests/type/gating/target/generator/fileplacement/filepaths.yaml
+++ b/manifests/type/gating/target/generator/fileplacement/filepaths.yaml
@@ -1,11 +1,11 @@
 apiVersion: builtin
 kind: PatchTransformer
 metadata:
-  name: filnames-patch
+  name: generated-filnames-patch
 patch: |
   apiVersion: airshipit.org/v1alpha1
   kind: VariableCatalogue
   metadata:
     name: generated-secrets
     annotations:
-      config.kubernetes.io/path: secrets.yaml
+      config.kubernetes.io/path: generated/secrets.yaml
diff --git a/manifests/type/gating/target/importer/cleanup/kustomization.yaml b/manifests/type/gating/target/importer/cleanup/kustomization.yaml
new file mode 100644
index 000000000..5d28ccd4a
--- /dev/null
+++ b/manifests/type/gating/target/importer/cleanup/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- secret-cleanup.yaml
diff --git a/manifests/function/hostgenerator-m3/cleanup/smp.yaml b/manifests/type/gating/target/importer/cleanup/secret-cleanup.yaml
similarity index 75%
rename from manifests/function/hostgenerator-m3/cleanup/smp.yaml
rename to manifests/type/gating/target/importer/cleanup/secret-cleanup.yaml
index 8c88971ee..7f1073b56 100644
--- a/manifests/function/hostgenerator-m3/cleanup/smp.yaml
+++ b/manifests/type/gating/target/importer/cleanup/secret-cleanup.yaml
@@ -1,11 +1,11 @@
 apiVersion: builtin
 kind: PatchStrategicMergeTransformer
 metadata:
-  name: smp-hgc
+  name: smp_cleanup_imported
 patches: |-
   ---
   apiVersion: airshipit.org/v1alpha1
   kind: VariableCatalogue
   metadata:
-    name: host-generation-catalogue
+    name: imported-secrets
   $patch: delete
diff --git a/manifests/type/gating/target/importer/fileplacement/filepaths.yaml b/manifests/type/gating/target/importer/fileplacement/filepaths.yaml
new file mode 100644
index 000000000..a89e95b10
--- /dev/null
+++ b/manifests/type/gating/target/importer/fileplacement/filepaths.yaml
@@ -0,0 +1,11 @@
+apiVersion: builtin
+kind: PatchTransformer
+metadata:
+  name: imported-filnames-patch
+patch: |
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: imported-secrets
+    annotations:
+      config.kubernetes.io/path: imported/secrets.yaml
diff --git a/manifests/type/gating/target/importer/fileplacement/kustomization.yaml b/manifests/type/gating/target/importer/fileplacement/kustomization.yaml
new file mode 100644
index 000000000..aecaf8276
--- /dev/null
+++ b/manifests/type/gating/target/importer/fileplacement/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- filepaths.yaml
diff --git a/tools/deployment/23_generate_secrets.sh b/tools/deployment/23_generate_secrets.sh
index 336aa3e67..6fe52f922 100755
--- a/tools/deployment/23_generate_secrets.sh
+++ b/tools/deployment/23_generate_secrets.sh
@@ -48,13 +48,13 @@ if [[ -z "${decrypted1}" ]]; then
 fi
 
 #make sure that generated file has right FP
-grep "${SOPS_PGP_FP}" "${AIRSHIP_CONFIG_MANIFEST_DIRECTORY}/$(basename ${AIRSHIP_CONFIG_PHASE_REPO_URL})/manifests/site/$SITE/target/generator/results/generated/secrets.yaml"
+grep "${SOPS_PGP_FP}" "${AIRSHIP_CONFIG_MANIFEST_DIRECTORY}/$(basename ${AIRSHIP_CONFIG_PHASE_REPO_URL})/manifests/site/$SITE/target/encrypted/results/generated/secrets.yaml"
 
 #set new FP and reencrypt
 export SOPS_PGP_FP=${SOPS_PGP_FP_REENCRYPT}
 airshipctl phase run secret-reencrypt
 #make sure that generated file has right FP
-grep "${SOPS_PGP_FP}" "${AIRSHIP_CONFIG_MANIFEST_DIRECTORY}/$(basename ${AIRSHIP_CONFIG_PHASE_REPO_URL})/manifests/site/$SITE/target/generator/results/generated/secrets.yaml"
+grep "${SOPS_PGP_FP}" "${AIRSHIP_CONFIG_MANIFEST_DIRECTORY}/$(basename ${AIRSHIP_CONFIG_PHASE_REPO_URL})/manifests/site/$SITE/target/encrypted/results/generated/secrets.yaml"
 
 #make sure that decrypted valus stay the same
 decrypted2=$(airshipctl phase run secret-show)