diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0813ad3
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+pwfile
+pwfile.backup.*
diff --git a/decrypt-secrets.sh b/decrypt-secrets.sh
new file mode 100755
index 0000000..7d4ab60
--- /dev/null
+++ b/decrypt-secrets.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+gpg --pinentry-mode=loopback --decrypt --output pwfile secrets.asc
+
diff --git a/encrypt-secrets.sh b/encrypt-secrets.sh
new file mode 100755
index 0000000..d78e6d2
--- /dev/null
+++ b/encrypt-secrets.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc pwfile
+
diff --git a/secrets.asc b/secrets.asc
new file mode 100644
index 0000000..deee10c
--- /dev/null
+++ b/secrets.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMI4UREx2FMqFH+0ukBfA+x8Keg6UIXpZcH7Gykbmuv1HjutEHmoC6u6ztY
+vRzCtBKp0gepiQNoqQFEdPIj27mMpP9RjLD8/X4TlsfFwZhpYGKM/GHuetxtpX+m
+Mhx/M8po3GKRgjt6W4Yz68C1/CodWjnINPhfBjCTdAh1+AzpwjzBGzByykR11sLy
+4WnQRsZ+nw2p88970NzFn0N1NF7oV/i70K9cDBt5ecwDg4s/9EpLRrwRnXmeW7iY
+zwLyUuh+FK3QOWjaoeUHqaC0dMQPtaSUHw1uo1yLsnCDdDnqHS24CIXZJu/5kpVf
+/aqpCxZ0hvjQUWcyHPykXBq1RVR8CBv6mDd9tHIdXCk/7eVVOC9SxhH7V9MPAbRu
+KIdsemUHWWC4SqmlbMvizpZnq9lsXVnbGhTiSyPb127MB+tk1GDX/LccqXTduhmp
+R1V/e/8lTM887GruW7QqOi5yAp1vcgOuZxVBRriBfaLiZ0jJqQv6T11exaRAUgv0
+g7yKgT9iO31JmhFNP//RnT75eXkMEM+iWdRNyp3FJs0jrr0F9vhSnXCcQ/Z94pYE
+m2GK8yicf5DEBNrp8b0W1EtG9D5MJpYsWSyrVCwy9e1fRrMRryy45lOmPTdrR4ba
+0rIK+k+hUsqGJrMHunA7l1Zokx/gXxhOoRrR0jzN6DKvYnT7/2HSvwsw7he/qIDa
+/xEZwXIgwbMW6jgqRWXvWvd6Xw==
+=Ohf7
+-----END PGP MESSAGE-----
diff --git a/update-config.sh b/update-config.sh
new file mode 100755
index 0000000..1cc9685
--- /dev/null
+++ b/update-config.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -ex
+
+NAMESPACE=mosquitto
+
+SECRETS_PLAINTEXT=$(mktemp)
+gpg --pinentry-mode=loopback --decrypt --output $SECRETS_PLAINTEXT secrets.asc
+kubectl create configmap mosquitto-broker-config \
+  --from-file=mosquitto.conf=mosquitto.conf \
+  --from-file=pwfile=$SECRETS_PLAINTEXT \
+  --namespace=$NAMESPACE \
+  --dry-run=client -o yaml | kubectl apply -f - -n $NAMESPACE
+