diff --git a/backupbot.py b/backupbot.py
index 9932dde..f3bb38e 100755
--- a/backupbot.py
+++ b/backupbot.py
@@ -50,6 +50,41 @@ def export_secrets():
             with open(os.environ[env]) as file:
                 os.environ[env.removesuffix('_FILE')] = file.read()
 
+@cli.command(help='Attach all secrets to the backupbot container, this can result in a container restart')
+def attach_secrets():
+    client = docker.from_env()
+    services = client.services.list()
+    apps = []
+    secrets = []
+    secret_ids = []
+    # Get all Apps that aktivate backups
+    for s in services:
+        labels = s.attrs['Spec']['Labels']
+        if (backup := labels.get('backupbot.backup')) and bool(backup):
+            apps.append(labels['com.docker.stack.namespace'])
+    # Get all Secrets for these Apps
+    for s in services:
+        labels = s.attrs['Spec']['Labels']
+        if labels['com.docker.stack.namespace'] in apps:
+            if app_secs:= s.attrs['Spec']['TaskTemplate']['ContainerSpec'].get('Secrets'):
+                for sec in app_secs:
+                    if sec['SecretID'] not in secret_ids:
+                        # Move Secret Targets to SecretName to avoid conflicts
+                        secret_ids.append(sec['SecretID'])
+                        sec['File']['Name'] = sec['SecretName']
+                        secrets.append(sec)
+    backupbot_service = client.services.get(os.environ['STACK_NAME']+"_app")
+    # Append the backupbot secrets
+    backupbot_secrets = backupbot_service.attrs['Spec']['TaskTemplate']['ContainerSpec']['Secrets']
+    for sec in backupbot_secrets:
+        if os.environ['STACK_NAME'] in sec['SecretName']:
+            secrets.append(sec)
+    new_sec_ids = set(map(lambda s: s['SecretID'], secrets))
+    old_sec_ids = set(map(lambda s: s['SecretID'], backupbot_secrets))
+    if new_sec_ids.difference(old_sec_ids):
+        logging.warning("Backupbot will restart to update the secrets")
+    backupbot_service.update(secrets=secrets)
+
 @cli.command()
 def create():
     pre_commands, post_commands, backup_paths, apps = get_backup_cmds()
@@ -78,8 +113,12 @@ def get_backup_cmds():
                 pre_commands[container] = prehook
             if posthook:= labels.get('backupbot.backup.post-hook'):
                 post_commands[container] = posthook
+            # Backup volumes
             backup_paths = backup_paths.union(
                 Path(VOLUME_PATH).glob(f"{stack_name}_*"))
+            # Backup secrets
+            backup_paths = backup_paths.union(
+                Path('/var/run/secrets').glob(f"{stack_name}_*"))
     return pre_commands, post_commands, list(backup_paths), list(backup_apps)
 
 def run_commands(commands):
@@ -145,6 +184,7 @@ def list_files(snapshot, path):
 @click.option('snapshot', '--snapshot', '-s', envvar='SNAPSHOT', default='latest')
 @click.option('path', '--path', '-p', envvar='INCLUDE_PATH')
 def download(snapshot, path):
+    path = path.removesuffix('/')
     files = list_files(snapshot, path)
     filetype = [f.get('type') for f in files if f.get('path') == path][0]
     cmd = restic.cat.base_command() + ['dump', snapshot, path]
diff --git a/entrypoint.sh b/entrypoint.sh
index f768e7b..b5be1cf 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -5,13 +5,15 @@ set -e -o pipefail
 apk add --upgrade --no-cache \
     restic=0.15.2-r3 \
     bash=5.2.15-r5 \
-    restic=0.15.2-r2 \
     python3=3.11.5-r0 \
     py3-pip=23.1.2-r0
 
 # Todo use requirements file with specific versions
 pip install click==8.1.7 docker==6.1.3 resticpy==1.0.2
 
+# Attach secrets to backupbot
+backup attach-secrets
+
 if [ -n "$SSH_HOST_KEY" ]
 then
     echo "$SSH_HOST_KEY" > /root/.ssh/known_hosts