diff --git a/apps/kimai/values.yaml b/apps/kimai/values.yaml
index bd64054..3bfb8f3 100644
--- a/apps/kimai/values.yaml
+++ b/apps/kimai/values.yaml
@@ -19,10 +19,11 @@ database:
 mariadb:
   enabled: true
   auth:
-    rootPassword: j6drtf47
-    database: kimai
+    existingSecret: kimai-secrets
+    existingSecretMappings:
+      rootPassword: kimai-db-root-password
+      password: kimai-db-password
     username: kimai
-    password: kimai
   primary:
     persistence:
       size: 4Gi
@@ -30,3 +31,16 @@ mariadb:
 
 service:
   type: ClusterIP
+
+env:
+  - name: kimaiAdminEmail
+    valueFrom:
+      secretKeyRef:
+        name: kimai-secrets
+        key: kimai-admin-username
+
+  - name: kimaiAdminPassword
+    valueFrom:
+      secretKeyRef:
+        name: kimai-secrets
+        key: kimai-admin-password
diff --git a/secrets/kimaisecrets.yaml b/secrets/kimaisecrets.yaml
new file mode 100644
index 0000000..d5d42d8
--- /dev/null
+++ b/secrets/kimaisecrets.yaml
@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kimai-secrets
+  namespace: kimai
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: bitwarden
+    kind: ClusterSecretStore
+  target:
+    name: kimai-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: db-root-password
+      remoteRef:
+        key: kimai-db-root-password
+
+    - secretKey: db-password
+      remoteRef:
+        key: kimai-db-password
+
+    - secretKey: admin-username
+      remoteRef:
+        key: kimai-admin-username
+
+    - secretKey: admin-password
+      remoteRef:
+        key: kimai-admin-password
diff --git a/secrets/kustomization.yaml b/secrets/kustomization.yaml
new file mode 100644
index 0000000..1e20751
--- /dev/null
+++ b/secrets/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- kimaisecrerts.yaml
+