diff --git a/charts/perses/Chart.yaml b/charts/perses/Chart.yaml
index 67e7fd3..57a4400 100644
--- a/charts/perses/Chart.yaml
+++ b/charts/perses/Chart.yaml
@@ -4,7 +4,7 @@ description: Perses helm chart
 icon: https://avatars.githubusercontent.com/u/77209215?s=200&v=4
 type: application
 version: 0.3.0
-appVersion: "0.42.1"
+appVersion: "0.43.0"
 sources:
   - https://github.com/perses/perses
 annotations:
diff --git a/charts/perses/templates/_helpers.tpl b/charts/perses/templates/_helpers.tpl
index 1742304..39456fc 100644
--- a/charts/perses/templates/_helpers.tpl
+++ b/charts/perses/templates/_helpers.tpl
@@ -64,3 +64,46 @@ Create the name of the service account to use
 {{- define "perses.dns" -}}
 http://{{ include "perses.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.targetPort }}
 {{- end -}}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.createEncryptionKeyFileSecret" -}}
+{{- if (and .Values.config.security.encryptionKey .Values.config.security.encryptionKeyFile) }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.mountEncryptionKeyFileSecret" -}}
+{{- if or (eq (include "perses.createEncryptionKeyFileSecret" .) "true") .Values.overrideEncryptionKeySecret.secretName }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.encryptionKeyVolume" -}}
+- name: encryptionkey
+  secret:
+    secretName: {{ .Values.overrideEncryptionKeySecret.secretName | default (printf "%s-encryption-key" (include "perses.fullname" .)) | quote }}
+    items:
+      - key: {{ .Values.overrideEncryptionKeySecret.secretKey | default "key" | quote }}
+        path: "key"
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.encryptionKeyVolumeMount" -}}
+- name: encryptionkey
+  mountPath: {{ .Values.config.security.encryptionKeyFile | default "etc/perses/security/encryptionkey" | quote }}
+  readOnly: true
+{{- end }}
diff --git a/charts/perses/templates/config.yaml b/charts/perses/templates/config.yaml
index 24f5222..12bf974 100644
--- a/charts/perses/templates/config.yaml
+++ b/charts/perses/templates/config.yaml
@@ -12,6 +12,12 @@ data:
   config.yaml: |-
     security:
       readonly: {{ .Values.config.security.readOnly }}
+      {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
+      encryption_key_file: {{ printf "%s/key" (.Values.config.security.encryptionKeyFile | trimSuffix "/") }}
+      {{- end }}
+      {{- if and (not .Values.config.security.encryptionKeyFile) .Values.config.security.encryptionKey }}
+      encryption_key: {{ .Values.config.security.encryptionKey }}
+      {{- end }}
       enable_auth: {{ .Values.config.security.enableAuth }}
 
     database:
@@ -24,12 +30,12 @@ data:
       sql:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{ end -}}
-    
+
     {{- with .Values.config.important_dashboards }}
     important_dashboards:
       {{- toYaml . | nindent 6 }}
     {{- end }}
-    
+
     {{- with .Values.config.schemas }}
     schemas:
       {{- toYaml . | nindent 6 }}
diff --git a/charts/perses/templates/secrets.yaml b/charts/perses/templates/secrets.yaml
new file mode 100644
index 0000000..cd9e29a
--- /dev/null
+++ b/charts/perses/templates/secrets.yaml
@@ -0,0 +1,17 @@
+{{- if eq (include "perses.createEncryptionKeyFileSecret" .) "true" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "perses.fullname" . }}-encryption-key
+  labels:
+    {{- include "perses.labels" . | nindent 4 }}
+  {{- with .Values.config.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  key: {{ .Values.config.security.encryptionKey | b64enc }}
+{{- end }}
+
+---
diff --git a/charts/perses/templates/statefulset.yaml b/charts/perses/templates/statefulset.yaml
index c59ba66..823e172 100644
--- a/charts/perses/templates/statefulset.yaml
+++ b/charts/perses/templates/statefulset.yaml
@@ -50,6 +50,9 @@ spec:
           - name: datasources
             mountPath: /etc/perses/datasources
           {{- end }}
+          {{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
+          {{- include "perses.encryptionKeyVolumeMount" . | nindent 10 }}
+          {{- end }}
         ports:
           - name: http
             containerPort: {{ .Values.service.targetPort }}
@@ -97,4 +100,7 @@ spec:
         - name: datasources
           configMap:
             name: {{ include "perses.fullname" . }}-datasources
-        {{- end }}
\ No newline at end of file
+        {{- end }}
+        {{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
+        {{- include "perses.encryptionKeyVolume" . | nindent 8 }}
+        {{- end }}
diff --git a/charts/perses/values.schema.json b/charts/perses/values.schema.json
index 335a412..53f0fdc 100644
--- a/charts/perses/values.schema.json
+++ b/charts/perses/values.schema.json
@@ -102,6 +102,14 @@
               "type": "boolean",
               "default": false
             },
+            "encryptionKey": {
+              "type": "string",
+              "default": ""
+            },
+            "encryptionKeyFile": {
+              "type": "string",
+              "default": ""
+            },
             "enableAuth": {
               "type": "boolean",
               "default": false
@@ -443,6 +451,20 @@
     "volumeMounts": {
       "type": "array"
     },
+    "overrideEncryptionKeySecret": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "secretName": {
+          "type": "string",
+          "default": ""
+        },
+        "secretKey": {
+          "type": "string",
+          "default": "key"
+        }
+      }
+    },
     "readinessProbe": {
       "type": "object",
       "additionalProperties": false,
diff --git a/charts/perses/values.yaml b/charts/perses/values.yaml
index f82fc0b..ae623e2 100644
--- a/charts/perses/values.yaml
+++ b/charts/perses/values.yaml
@@ -82,6 +82,14 @@ volumes: []
 # -- Additional VolumeMounts on the output StatefulSet definition.
 volumeMounts: []
 
+
+# -- Enable encryption with an existing secret.
+#    The key that holds that encryption key can also be provided with `secretKey`.
+#    If not set, `key` is assumed.
+overrideEncryptionKeySecret:
+  # -- SecretName is name of the K8s secret where the encryption key to be used is stored
+  secretName: ""
+
 # -- Resource limits & requests.
 # Update according to your own use case as these values might be too low for a typical deployment.
 # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
@@ -96,6 +104,10 @@ config:
   security:
     # -- Configure Perses instance as readonly
     readOnly: false
+    # -- Encryption key
+    encryptionKey: ""
+    # -- Encryption key file path
+    encryptionKeyFile: ""
     # -- Enable Authentication
     enableAuth: false
 
@@ -191,4 +203,4 @@ datasources:
   #     plugin:
   #       kind: PrometheusDatasource
   #       spec:
-  #         directUrl: https://prometheus.demo.do.prometheus.io
\ No newline at end of file
+  #         directUrl: https://prometheus.demo.do.prometheus.io