diff --git a/.env.sample b/.env.sample
index d03e0cd..de9da0b 100644
--- a/.env.sample
+++ b/.env.sample
@@ -4,3 +4,5 @@ DOMAIN=filestash.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.filestash.example.com`'
 LETS_ENCRYPT_ENV=production
+
+SECRET_ADMIN_PASSWORD_VERSION=v1
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..5c54e9d
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export ENTRYPOINT_CONF_VERSION=v1
diff --git a/compose.yml b/compose.yml
index 0992831..7586e18 100644
--- a/compose.yml
+++ b/compose.yml
@@ -6,6 +6,7 @@ services:
       - proxy
     environment:
       - APPLICATION_URL=$DOMAIN
+      - ADMIN_PASSWORD_FILE=/run/secrets/admin_password
     deploy:
       restart_policy:
         condition: on-failure
@@ -19,8 +20,26 @@ services:
         #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-
         - coop-cloud.${STACK_NAME}.app.version=e02267d-07d7189c
+    secrets:
+      - admin_password
+    configs:
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: ['/docker-entrypoint.sh']
+
+secrets:
+  admin_password:
+    external: true
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+
 networks:
   proxy:
     external: true
+
+configs:
+  entrypoint_conf:
+    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..59d418d
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+file_env() {
+	# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+	# 	https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+load_vars() {
+	file_env "ADMIN_PASSWORD"
+}
+
+main() {
+	set -eu
+
+	load_vars
+}
+
+main
+
+# 3wc: `source /docker-entrypoint2.sh -e` to load ADMIN_PASSWORD for CLI scripts
+if [ ! "${1-}" == "-e" ]; then
+	# 3wc: upstream ENTRYPOINT
+	# https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile
+	/app/filestash
+fi
+
+set +eu