diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..f97b721
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.gpg diff=gpg
diff --git a/.gitignore b/.gitignore
index 69f48e5..0b535ae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 *.ign
+frigate.env
diff --git a/Makefile b/Makefile
index a6c7693..9fdba50 100644
--- a/Makefile
+++ b/Makefile
@@ -17,6 +17,9 @@ endef
 
 $(foreach t,$(wildcard *.yaml),$(eval $(call genrules,$(t))))
 
+%.env: %.env.gpg
+	gpg2 --decrypt $< > $@
+
 publish: \
 		nvr1.ign
 	rsync -rti $^ files.pyrocufflink.blue:public_html/
diff --git a/frigate.container b/frigate.container
index 86de445..353bbce 100644
--- a/frigate.container
+++ b/frigate.container
@@ -12,6 +12,7 @@ PodmanArgs=--gidmap 0:209:1
 PodmanArgs=--uidmap 1:6000001:65536
 PodmanArgs=--gidmap 1:6000001:65536
 PodmanArgs=--shm-size 256m
+EnvironmentFile=/etc/sysconfig/frigate
 Volume=/var/lib/frigate/media:/media/frigate:rw,z
 Volume=/var/lib/frigate/tmp:/tmp:rw,z
 Volume=/var/lib/frigate/config:/config:rw,z
diff --git a/frigate.env.gpg b/frigate.env.gpg
new file mode 100644
index 0000000..ac86016
Binary files /dev/null and b/frigate.env.gpg differ
diff --git a/frigate.yaml b/frigate.yaml
index 3b8a270..937118e 100644
--- a/frigate.yaml
+++ b/frigate.yaml
@@ -15,6 +15,14 @@ storage:
     mode: 0644
     contents:
       local: frigate.tmpfiles
+  - path: /etc/sysconfig/frigate
+    mode: 0640
+    user:
+      id: 0
+    group:
+      id: 209
+    contents:
+      local: frigate.env
 
 systemd:
   units: