diff --git a/deployment/scripts/secret.generate.sh b/deployment/scripts/secret.generate.sh
new file mode 100755
index 000000000..dba958c34
--- /dev/null
+++ b/deployment/scripts/secret.generate.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# generate a secret and store it in the SECRET file.
+# Note that this overwrites the existing file
+
+# base setup
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+# configuration
+CONFIGURATION=${CONFIGURATION:-"example"}
+SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
+
+openssl rand -base64 32 > ${SECRET_FILE}
\ No newline at end of file
diff --git a/deployment/scripts/secrets.decrypt.sh b/deployment/scripts/secrets.decrypt.sh
new file mode 100755
index 000000000..283768ad0
--- /dev/null
+++ b/deployment/scripts/secrets.decrypt.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# decrypt secrets in the selected configuration
+# Note that existing decrypted files will be overwritten
+
+# base setup
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+# configuration
+CONFIGURATION=${CONFIGURATION:-"example"}
+SECRET=${SECRET}
+SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
+FILES=(\
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/.env" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubeconfig.yaml" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/values.yaml" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/dns.values.yaml" \
+  )
+
+# Load SECRET from file if it is not set explicitly
+if [ -z ${SECRET} ] && [ -f "${SECRET_FILE}" ]; then
+  SECRET=$(<${SECRET_FILE})
+fi
+
+# exit when there is no SECRET set
+if [ -z ${SECRET} ]; then
+  echo "No SECRET provided and no SECRET-File found."
+  exit 1
+fi
+
+# decrypt
+for file in "${FILES[@]}"
+do
+  if [ -f "${file}.enc" ]; then
+    #gpg --symmetric --batch --passphrase="${SECRET}" --cipher-algo AES256 --output ${file}.enc ${file} 
+    gpg --quiet --batch --yes --decrypt --passphrase="${SECRET}" --output ${file} ${file}.enc
+    echo "Decrypted ${file}"
+  fi
+done
+
+echo "DONE"
+# gpg --quiet --batch --yes --decrypt --passphrase="${SECRET}" \
+# --output $HOME/secrets/my_secret.json my_secret.json.gpg
diff --git a/deployment/scripts/secrets.encrypt.sh b/deployment/scripts/secrets.encrypt.sh
new file mode 100755
index 000000000..ef6c87e85
--- /dev/null
+++ b/deployment/scripts/secrets.encrypt.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# encrypt secrets in the selected configuration
+# Note that existing encrypted files will be overwritten
+
+# base setup
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+# configuration
+CONFIGURATION=${CONFIGURATION:-"example"}
+SECRET=${SECRET}
+SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
+FILES=(\
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/.env" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubeconfig.yaml" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/values.yaml" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/dns.values.yaml" \
+  )
+
+# Load SECRET from file if it is not set explicitly
+if [ -z ${SECRET} ] && [ -f "${SECRET_FILE}" ]; then
+  SECRET=$(<${SECRET_FILE})
+fi
+
+# exit when there is no SECRET set
+if [ -z ${SECRET} ]; then
+  echo "No SECRET provided and no SECRET-File found."
+  exit 1
+fi
+
+# encrypt
+for file in "${FILES[@]}"
+do
+  if [ -f "${file}" ]; then
+    gpg --symmetric --batch --yes --passphrase="${SECRET}" --cipher-algo AES256 --output ${file}.enc ${file} 
+    echo "Encrypted ${file}"
+  fi
+done
+
+echo "DONE"