diff --git a/.env.sample b/.env.sample
index d811578..13b51bf 100644
--- a/.env.sample
+++ b/.env.sample
@@ -18,8 +18,6 @@ TLS_KEYPAIR_FILENAME=$WEB_DOMAIN/privatekey.key
 
 REDIS_ADDRESS=db
 
-# Set to a randomly generated 16 bytes string
-SECRET_KEY=XXXXXXXXXXXXXXXX
 
 # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
 SUBNET=192.168.203.0/24
@@ -105,6 +103,9 @@ COMPRESSION_LEVEL=
 # IMAP full-text search is enabled by default. Set the following variable to off in order to disable the feature.
 # FULL_TEXT_SEARCH=off
 
+SECRET_SECRET_KEY_VERSION=v1
+
+
 ###################################
 # Web settings
 ###################################
diff --git a/compose.yml b/compose.yml
index 86119ff..349da62 100644
--- a/compose.yml
+++ b/compose.yml
@@ -34,7 +34,7 @@ x-environment:
   - REJECT_UNLISTED_RECIPIENT
   - RELAYHOST
   - RELAYNETS
-  - SECRET_KEY
+  - SECRET_KEY_FILE=/run/secrets/secret_key
   - SITENAME
   - SUBNET
   - TLS_CERT_FILENAME
@@ -85,6 +85,8 @@ services:
         mode: host
     volumes:
       - "certs:/certs"
+    secrets:
+      - secret_key
     deploy:
       labels:
         - "traefik.enable=true"
@@ -105,6 +107,8 @@ services:
     environment: *default-env
     healthcheck:
       disable: true
+    secrets:
+      - secret_key
     volumes:
       - "dkim:/dkim"
       - "mailu:/data"
@@ -114,6 +118,8 @@ services:
   imap:
     image: ghcr.io/mailu/dovecot:2.0.23
     environment: *default-env
+    secrets:
+      - secret_key
     volumes:
       - "mail:/mail"
     healthcheck:
@@ -126,6 +132,8 @@ services:
   smtp:
     image: ghcr.io/mailu/postfix:2.0.23
     environment: *default-env
+    secrets:
+      - secret_key
     volumes:
       - "mailqueue:/queue"
     healthcheck:
@@ -136,6 +144,8 @@ services:
   antispam:
     image: ghcr.io/mailu/rspamd:2.0.23
     environment: *default-env
+    secrets:
+      - secret_key
     volumes:
       - "rspamd:/var/lib/rspamd"
       - "dkim:/dkim:ro"
@@ -149,6 +159,8 @@ services:
       - default
     volumes:
       - "webmail:/data"
+    secrets:
+      - secret_key
     deploy:
       replicas: 1
     healthcheck:
@@ -207,3 +219,8 @@ configs:
   certdumper_post:
     name: ${STACK_NAME}_certdumper_post_${CERTDUMPER_POST_VERSION}
     file: certdumper_post.sh
+
+secrets:
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}