diff --git a/defaults/main.yml b/defaults/main.yml
index b0c047d..666e7c4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -63,6 +63,14 @@ droneci_db_password: secure
 
 droneci_db_ssl_mode: disable
 
+# @var droneci_db_secret:description: >
+# Drone supports aesgcm encryption of secrets stored in the database. You must enable encryption
+# before any secrets are stored in the database! You can generate an encryption key with e.g.
+# `openssl rand -hex 16`.
+# @end
+# @var droneci_db_secret: $ "_unset_"
+# @var droneci_db_secret:example: $ "0c549fd39ae397333761d2cb0c53c219"
+
 # @var droneci_scm_provider:description: SCM provider to use with Drone (gitea|github)
 droneci_scm_provider: none
 
diff --git a/templates/services/droneci_compose.yml.j2 b/templates/services/droneci_compose.yml.j2
index 538e38f..0c29463 100644
--- a/templates/services/droneci_compose.yml.j2
+++ b/templates/services/droneci_compose.yml.j2
@@ -48,6 +48,9 @@ services:
       - DRONE_DATADOG_ENDPOINT=dummy
       - DRONE_DATADOG_TOKEN=dummy
       - DRONE_PROMETHEUS_ANONYMOUS_ACCESS={{ droneci_prometheus_anonymous_access | bool | lower }}
+      {% if droneci_db_secret is defined %}
+      - DRONE_DATABASE_SECRET={{ droneci_db_secret }}
+      {% endif %}
       {% if droneci_db_type == "pgsql" %}
       - DRONE_DATABASE_DRIVER=postgres
       - DRONE_DATABASE_DATASOURCE=postgres://{{ droneci_db_user }}:{{ droneci_db_password }}@{{ droneci_db_server }}/{{ droneci_db_name }}?sslmode={{ droneci_db_ssl_mode }}