diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e321837
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+deployment/transfer-key.conf
diff --git a/deployment/deploy-yml.tmpl b/deployment/deploy-yml.tmpl
index bde5249..a8c5a12 100644
--- a/deployment/deploy-yml.tmpl
+++ b/deployment/deploy-yml.tmpl
@@ -25,8 +25,9 @@ spec:
           volumeMounts:
             - name: bind-zones
               mountPath: /etc/named/zones
-            - name: bind-keys
+            - name: transfer-key-secret
               mountPath: /etc/named/keys
+              readOnly: true
           resources:
             requests:
               memory: "128Mi"
@@ -48,9 +49,9 @@ spec:
         - name: bind-zones
           persistentVolumeClaim:
             claimName: bind-hidden-primary-zones
-        - name: bind-keys
-          persistentVolumeClaim:
-            claimName: bind-hidden-primary-keys
+        - name: transfer-key-secret
+          secret:
+            secretName: transfer-key
 ---
 apiVersion: v1
 kind: Service
@@ -81,19 +82,6 @@ spec:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 100Mi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: bind-hidden-primary-keys
-  labels:
-    app: bind-hidden-primary
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 100Mi
+      storage: 1Gi
 
 
diff --git a/deployment/deploy.sh b/deployment/deploy.sh
index 20d39ce..2fbdb00 100755
--- a/deployment/deploy.sh
+++ b/deployment/deploy.sh
@@ -12,11 +12,23 @@ DEPLOYMENT_DIR=$PWD/deployment
 
 pushd $DEPLOYMENT_DIR > /dev/null
 
+if [ ! -f transfer-key.conf ]; then
+  gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output transfer-key.conf transfer-key.conf.asc
+fi
+
 kubectl create namespace $NAMESPACE \
   --dry-run=client \
   -o yaml | \
   kubectl -f - apply
 
+# Create secret for transfer-key
+kubectl create secret generic transfer-key \
+  --from-file=transfer-key.conf=transfer-key.conf \
+  --namespace=$NAMESPACE \
+  --dry-run=client \
+  -o yaml | \
+  kubectl apply -f -
+
 
 cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
   sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
diff --git a/start.sh b/start.sh
index 88bb5b5..42b2050 100755
--- a/start.sh
+++ b/start.sh
@@ -8,7 +8,6 @@ INITIALLY_INSTALLED_FLAG="/etc/named/zones/initialized"
 if [ ! -f $INITIALLY_INSTALLED_FLAG ]; then
     echo "Initialized ..."
     touch $INITIALLY_INSTALLED_FLAG
-    cp /etc/named-dist/transfer-key.conf /etc/named/keys/transfer-key.conf
     cp /etc/named-dist/zones.conf /etc/named/zones/zones.conf
     cp /etc/named-dist/whiskeylimahotel.de.zone /etc/named/zones/whiskeylimahotel.de.zone
 else