diff --git a/.dockerignore b/.dockerignore
index bc061e7b0..286b32a67 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,39 +1,40 @@
 .dockerignore
 .DS_Store
 .git
 .eslintcache
 .vscode
 !.vscode/extensions.json
 
 node_modules
 
 landing/node_modules
 landing/dist
 
 lib/node_modules
 
 native
 !native/package.json
 !native/.flowconfig
 !native/ios/Podfile
 !native/expo-modules/comm-expo-package/package.json
 
 web/node_modules
 web/dist
 
 keyserver/dist
 keyserver/node_modules
 keyserver/facts
 keyserver/secrets
 keyserver/*.env
 keyserver/*.env.*
 
 services/tunnelbroker/Dockerfile
 services/identity/target
 services/identity/Dockerfile
+services/identity/secrets
 services/backup/Dockerfile
 services/blob/target
 services/blob/Dockerfile
 services/electron-update-server/node_modules
 
 native/cpp/**/build
diff --git a/services/identity/Dockerfile b/services/identity/Dockerfile
index 431ccf2a9..36db30d9b 100644
--- a/services/identity/Dockerfile
+++ b/services/identity/Dockerfile
@@ -1,39 +1,37 @@
-FROM rust:1.67
+FROM rust:1.67 as builder
 
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
   build-essential cmake git libgtest-dev libssl-dev zlib1g-dev \
-  && rm -rf /var/lib/apt/lists/*
+  && rm -rf /var/lib/apt/lists/* \
+  && mkdir -p /home/root/app/
+
+WORKDIR /home/root/app
 
 # Install more recent version of protobuf, must be ran as root
 COPY scripts/install_protobuf.sh ../../scripts/install_protobuf.sh
 RUN ../../scripts/install_protobuf.sh
 
-# Create a new user comm and use it to run subsequent commands
-RUN useradd -m comm
-USER comm
-
-# The build.rs script depends on rustfmt
-RUN rustup component add rustfmt
-
 RUN mkdir -p /home/comm/app/identity
 WORKDIR /home/comm/app/identity
-RUN cargo init --bin
 
-COPY services/identity/Cargo.toml services/identity/Cargo.lock ./
+COPY services/identity .
+COPY shared/protos/identity_client.proto ../../shared/protos/
 COPY shared/comm-opaque2 ../../shared/comm-opaque2
 
-# Cache build dependencies in a new layer
-RUN cargo build --release
-RUN rm src/*.rs
+RUN cargo install --locked --path .
 
-COPY services/identity .
-COPY shared/protos/identity_client.proto ../../shared/protos/
+FROM debian:bullseye-slim
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+  ca-certificates \
+  && rm -rf /var/lib/apt/lists/* \
+  && useradd -m comm
 
-# Remove the previously-built binary so that only the application itself is
-# rebuilt
-RUN rm ./target/release/deps/identity*
+WORKDIR /home/comm/app/identity
+
+COPY --from=builder /usr/local/cargo/bin/identity \
+  /usr/local/bin/identity
 
-RUN cargo build --release
-RUN target/release/identity keygen
+USER comm
 
-CMD ["./target/release/identity", "server"]
+CMD ["identity", "server"]