diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml
new file mode 100644
index 0000000..b4da9ea
--- /dev/null
+++ b/chart/templates/secrets.yaml
@@ -0,0 +1,38 @@
+{{- if (include "fediblockhole.createSecret" .) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "fediblockhole.fullname" . }}
+  labels:
+    {{- include "fediblockhole.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if .Values.fediblockhole.s3.enabled }}
+  {{- if not .Values.fediblockhole.s3.existingSecret }}
+  AWS_ACCESS_KEY_ID: "{{ .Values.fediblockhole.s3.access_key | b64enc }}"
+  AWS_SECRET_ACCESS_KEY: "{{ .Values.fediblockhole.s3.access_secret | b64enc }}"
+  {{- end }}
+  {{- end }}
+  {{- if not .Values.fediblockhole.secrets.existingSecret }}
+  {{- if not (empty .Values.fediblockhole.secrets.secret_key_base) }}
+  SECRET_KEY_BASE: "{{ .Values.fediblockhole.secrets.secret_key_base | b64enc }}"
+  {{- else }}
+  SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.fediblockhole.secrets.secret_key_base }}
+  {{- end }}
+  {{- if not (empty .Values.fediblockhole.secrets.otp_secret) }}
+  OTP_SECRET: "{{ .Values.fediblockhole.secrets.otp_secret | b64enc }}"
+  {{- else }}
+  OTP_SECRET: {{ required "otp_secret is required" .Values.fediblockhole.secrets.otp_secret }}
+  {{- end }}
+  {{- if not (empty .Values.fediblockhole.secrets.vapid.private_key) }}
+  VAPID_PRIVATE_KEY: "{{ .Values.fediblockhole.secrets.vapid.private_key | b64enc }}"
+  {{- else }}
+  VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.fediblockhole.secrets.vapid.private_key }}
+  {{- end }}
+  {{- if not (empty .Values.fediblockhole.secrets.vapid.public_key) }}
+  VAPID_PUBLIC_KEY: "{{ .Values.fediblockhole.secrets.vapid.public_key | b64enc }}"
+  {{- else }}
+  VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.fediblockhole.secrets.vapid.public_key }}
+  {{- end }}
+  {{- end }}
+{{- end }}