diff --git a/cmd/notary-signer/main.go b/cmd/notary-signer/main.go
index 7afb00f52f..85c2d03106 100644
--- a/cmd/notary-signer/main.go
+++ b/cmd/notary-signer/main.go
@@ -2,17 +2,16 @@ package main
 
 import (
 	"crypto/rand"
-	"crypto/sha256"
 	"crypto/tls"
 	"database/sql"
 	"errors"
 	_ "expvar"
 	"flag"
-	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"os"
+	"strings"
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
@@ -30,10 +29,12 @@ import (
 )
 
 const (
-	_Addr      = ":4444"
-	_RpcAddr   = ":7899"
-	_DebugAddr = "localhost:8080"
-	_DBType    = "mysql"
+	_Addr            = ":4444"
+	_RpcAddr         = ":7899"
+	_DebugAddr       = "localhost:8080"
+	_DBType          = "mysql"
+	_EnvPrefix       = "NOTARY_SIGNER"
+	_DefaultAliasEnv = _EnvPrefix + "_DEFAULT_ALIAS"
 )
 
 var debug bool
@@ -49,13 +50,12 @@ func init() {
 }
 
 func passphraseRetriever(keyName, alias string, createNew bool, attempts int) (passphrase string, giveup bool, err error) {
-	privKeyContent, err := ioutil.ReadFile(keyFile)
-	if err != nil {
-		return "", false, errors.New("error while reading the TLS private key")
-	}
+	envVar := _EnvPrefix + "_" + strings.ToUpper(alias)
+	passphrase = os.Getenv(envVar)
 
-	privKeyHash := sha256.Sum256(privKeyContent)
-	passphrase = string(privKeyHash[:])
+	if passphrase == "" {
+		return "", false, errors.New("expected env variable to not be empty: " + envVar)
+	}
 
 	return passphrase, false, nil
 }
@@ -107,7 +107,7 @@ func main() {
 		log.Fatalf("failed to open the database: %s, %v", dbURL, err)
 	}
 
-	keyStore, err := trustmanager.NewKeyDBStore(passphraseRetriever, "", _DBType, dbSQL)
+	keyStore, err := trustmanager.NewKeyDBStore(passphraseRetriever, _DefaultAliasEnv, _DBType, dbSQL)
 	if err != nil {
 		log.Fatalf("failed to create a new keydbstore: %v", err)
 	}
diff --git a/trustmanager/keydbstore_test.go b/trustmanager/keydbstore_test.go
index 785cb39a1a..40c45bcf3d 100644
--- a/trustmanager/keydbstore_test.go
+++ b/trustmanager/keydbstore_test.go
@@ -13,15 +13,15 @@ import (
 )
 
 var retriever = func(string, string, bool, int) (string, bool, error) {
-	return "passphrase-1", false, nil
+	return "passphrase_1", false, nil
 }
 
 var anotherRetriever = func(keyName, alias string, createNew bool, attempts int) (string, bool, error) {
 	switch alias {
-	case "alias-1":
-		return "passphrase-1", false, nil
-	case "alias-2":
-		return "passphrase-2", false, nil
+	case "alias_1":
+		return "passphrase_1", false, nil
+	case "alias_2":
+		return "passphrase_2", false, nil
 	}
 	return "", false, errors.New("password alias no found")
 }
@@ -142,7 +142,7 @@ func TestKeyRotation(t *testing.T) {
 	assert.NoError(t, err)
 
 	// Create a new KeyDB store
-	dbStore, err := NewKeyDBStore(anotherRetriever, "alias-1", "sqlite3", db)
+	dbStore, err := NewKeyDBStore(anotherRetriever, "alias_1", "sqlite3", db)
 	assert.NoError(t, err)
 
 	// Ensure that the private_key table exists
@@ -153,10 +153,10 @@ func TestKeyRotation(t *testing.T) {
 	assert.NoError(t, err)
 
 	// Try rotating the key to alias-2
-	err = dbStore.RotateKeyPassphrase(testKey.ID(), "alias-2")
+	err = dbStore.RotateKeyPassphrase(testKey.ID(), "alias_2")
 	assert.NoError(t, err)
 
 	// Try rotating the key to alias-3
-	err = dbStore.RotateKeyPassphrase(testKey.ID(), "alias-3")
+	err = dbStore.RotateKeyPassphrase(testKey.ID(), "alias_3")
 	assert.Error(t, err, "password alias no found")
 }