diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
index d799354a25..51d61cbc30 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
@@ -145,4 +145,9 @@ StandardOutput=null
 StandardError=null
 EOF
     done
+
+    # This one is done dynamically because it hard Requires a device to appear
+    # and if it's always part of the transaction, systemd will want the device
+    # to appear regardless of ConditionPathExists.
+    add_requires coreos-secex-ignition-decrypt.service ignition-diskful.target
 fi
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
index c4edac3d58..e52a29348f 100644
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
@@ -1,3 +1,5 @@
+# This service is enabled by coreos-diskful-generator
+
 [Unit]
 Description=CoreOS Secex Ignition Config Decryptor
 ConditionPathExists=/etc/initrd-release
@@ -7,8 +9,9 @@ DefaultDependencies=false
 OnFailure=emergency.target
 OnFailureJobMode=isolate
 
-# Run after udevd and before Ignition
-After=systemd-udevd.service
+# Run after the crypt device becomes available and before Ignition
+Requires=dev-disk-by\x2did-virtio\x2dignition_crypted.device
+After=dev-disk-by\x2did-virtio\x2dignition_crypted.device
 Before=ignition-fetch-offline.service
 
 [Service]
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
index f78725fdc6..b66a0c2782 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
@@ -83,7 +83,8 @@ install() {
 
     # IBM Secure Execution. Ignition config for reencryption of / and /boot
     inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
-    install_ignition_unit "coreos-secex-ignition-decrypt.service"
+    inst_simple "$moddir/coreos-secex-ignition-decrypt.service" \
+        "$systemdsystemunitdir/coreos-secex-ignition-decrypt.service"
     inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \
         "/usr/sbin/coreos-secex-ignition-decrypt"