diff --git a/bin/write-env.sh b/bin/write-env.sh
index aca8906f..1cc52370 100755
--- a/bin/write-env.sh
+++ b/bin/write-env.sh
@@ -20,36 +20,70 @@ if [ ! -f ${CONF_DIR}/mongo.env ]; then
   else
     echo "MONGO_DB=${MONGO_DB}" >> ${CONF_DIR}/mongo.env
   fi
-  if [ -z ${MONGO_USER} ]; then
+
+  if [ -z ${MONGO_USER_FILE} ] && [ -z ${MONGO_USER} ]; then
     echo "#MONGO_USER=" >> ${CONF_DIR}/mongo.env
+  elif [ ${MONGO_USER_FILE} ]; then
+    echo "MONGO_USER_FILE=${MONGO_USER_FILE}" >> ${CONF_DIR}/mongo.env
   else
     echo "MONGO_USER=${MONGO_USER}" >> ${CONF_DIR}/mongo.env
   fi
-  if [ -z ${MONGO_PASS} ]; then
+  if [ -z ${MONGO_PASS} ] && [ -z ${MONGO_PASS_FILE} ]; then
     echo "#MONGO_PASS=" >> ${CONF_DIR}/mongo.env
+  elif [ ${MONGO_PASS_FILE} ]; then
+    echo "MONGO_PASS_FILE=${MONGO_PASS_FILE}" >> ${CONF_DIR}/mongo.env
   else
     echo "MONGO_PASS=${MONGO_PASS}" >> ${CONF_DIR}/mongo.env
   fi
 fi
 if [ ! -f ${CONF_DIR}/postgres.env ]; then
-  echo "POSTGRES_USER=${POSTGRES_USER:-mistral-user}" > ${CONF_DIR}/postgres.env
-  echo "POSTGRES_PASSWORD=${POSTGRES_PASS:-$(randpwd 18)}" >> ${CONF_DIR}/postgres.env
+  if [ ${POSTGRES_USER_FILE} ]; then
+    echo "POSTGRES_USER_FILE=${POSTGRES_USER_FILE}" > ${CONF_DIR}/postgres.env
+  else
+    echo "POSTGRES_USER=${POSTGRES_USER:-mistral-user}" > ${CONF_DIR}/postgres.env
+  fi
+  if [ ${POSTGRES_PASSWORD_FILE} ]; then
+    echo "POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}" >> ${CONF_DIR}/postgres.env
+  else
+    echo "POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-mistral-user}" >> ${CONF_DIR}/postgres.env
+  fi
   echo "POSTGRES_HOST=${POSTGRES_HOST:-postgres}" >> ${CONF_DIR}/postgres.env
   echo "POSTGRES_PORT=${POSTGRES_PORT:-5432}" >> ${CONF_DIR}/postgres.env
   echo "POSTGRES_DB=${POSTGRES_DB:-mistral}" >> ${CONF_DIR}/postgres.env
 fi
 if [ ! -f ${CONF_DIR}/rabbitmq.env ]; then
-  echo "RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER:-admin}" > ${CONF_DIR}/rabbitmq.env
-  echo "RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS:-$(randpwd 18)}" >> ${CONF_DIR}/rabbitmq.env
+  if [ ${RABBITMQ_DEFAULT_USER_FILE} ]; then
+    echo "RABBITMQ_DEFAULT_USER_FILE=${RABBITMQ_DEFAULT_USER_FILE}" > ${CONF_DIR}/rabbitmq.env
+  else
+    echo "RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER:-admin}" > ${CONF_DIR}/rabbitmq.env
+  fi
+  if [ ${RABBITMQ_DEFAULT_PASS_FILE} ]; then
+    echo "RABBITMQ_DEFAULT_PASS_FILE=${RABBITMQ_DEFAULT_PASS_FILE}" >> ${CONF_DIR}/rabbitmq.env
+  else
+    echo "RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS:-mistral-user}" >> ${CONF_DIR}/rabbitmq.env
+  fi
   echo "RABBITMQ_HOST=${RABBITMQ_HOST:-rabbitmq}" >> ${CONF_DIR}/rabbitmq.env
   echo "RABBITMQ_PORT=${RABBITMQ_PORT:-5672}" >> ${CONF_DIR}/rabbitmq.env
 fi
 if [ ! -f ${CONF_DIR}/redis.env ]; then
-  echo "REDIS_PASSWORD=${REDIS_PASSWORD:-$(randpwd 18)}" > ${CONF_DIR}/redis.env
+
+  if [ ${REDIS_PASSWORD_FILE} ]; then
+    echo "REDIS_PASSWORD_FILE=${REDIS_PASSWORD_FILE}" > ${CONF_DIR}/redis.env
+  else
+    echo "REDIS_PASSWORD=${REDIS_PASSWORD:-$(randpwd 18)}" > ${CONF_DIR}/redis.env
+  fi
   echo "REDIS_HOST=${REDIS_HOST:-redis}" >> ${CONF_DIR}/redis.env
   echo "REDIS_PORT=${REDIS_PORT:-6379}" >> ${CONF_DIR}/redis.env
 fi
 if [ ! -f ${CONF_DIR}/stackstorm.env ]; then
-  echo "ST2_USER=${ST2_USER:-st2admin}" > ${CONF_DIR}/stackstorm.env
-  echo "ST2_PASSWORD=${ST2_PASSWORD:-$(randpwd 6)}" >> ${CONF_DIR}/stackstorm.env
+  if [ ${ST2_USER_FILE} ]; then
+    echo "ST2_USER_FILE=${ST2_USER_FILE}" > ${CONF_DIR}/stackstorm.env
+  else
+    echo "ST2_USER=${ST2_USER:-st2admin}" > ${CONF_DIR}/stackstorm.env
+  fi
+  if [ ${ST2_PASSWORD_FILE} ]; then
+    echo "ST2_PASSWORD_FILE=${ST2_PASSWORD_FILE}" >> ${CONF_DIR}/stackstorm.env
+  else
+    echo "ST2_PASSWORD=${ST2_PASSWORD:-$(randpwd 6)}" >> ${CONF_DIR}/stackstorm.env
+  fi
 fi
diff --git a/docker-compose-with-secrets.yml b/docker-compose-with-secrets.yml
new file mode 100644
index 00000000..c0e1d180
--- /dev/null
+++ b/docker-compose-with-secrets.yml
@@ -0,0 +1,118 @@
+version: '3.1'
+
+services:
+  stackstorm:
+    image: stackstorm/stackstorm:${TAG:-latest}
+    container_name: stackstorm
+    secrets:
+      - stackstorm_secret_user
+      - stackstorm_secret_pass
+      - mongo_secret_user
+      - mongo_secret_pass
+      - rabbitmq_secret_user
+      - rabbitmq_secret_pass
+      - postgres_secret_user
+      - postgres_secret_pass
+      - redis_secret_pass
+    env_file:
+      - conf/stackstorm.env
+      - conf/mongo.env
+      - conf/rabbitmq.env
+      - conf/postgres.env
+      - conf/redis.env
+    ports:
+      - "443:443"
+    networks:
+      - public
+      - private
+    volumes:
+      - stackstorm-log-volume:/var/log
+      - ./packs.dev:/opt/stackstorm/packs.dev
+
+### External Services
+
+  mongo:
+    image: mongo:3.4
+    container_name: mongo
+    secrets:
+      - mongo_root_secret_user
+      - mongo_root_secret_pass
+    env_file:
+      - conf/mongo.env
+    networks:
+      - private
+    volumes:
+      - mongo-volume:/data/db
+  rabbitmq:
+    image: rabbitmq:management
+    container_name: rabbitmq
+    secrets:
+      - rabbitmq_secret_user
+      - rabbitmq_secret_pass
+    env_file:
+      - conf/rabbitmq.env
+    networks:
+      - private
+    volumes:
+      - rabbitmq-volume:/var/lib/rabbitmq
+  postgres:
+    image: postgres:latest
+    container_name: postgres
+    secrets:
+      - postgres_secret_user
+      - postgres_secret_pass
+    env_file:
+      - conf/postgres.env
+    networks:
+      - private
+    volumes:
+      - postgres-volume:/var/lib/postgresql/data
+  redis:
+    image: redis:latest
+    container_name: redis
+    secrets:
+      - redis_secret_pass
+    env_file:
+      - conf/redis.env
+    networks:
+      - private
+    volumes:
+      - redis-volume:/data
+
+secrets:
+  mongo_root_secret_user:
+    file: ./secrets/mongo_user.txt
+  mongo_root_secret_pass:
+    file: ./secrets/mongo_password.txt
+  mongo_secret_user:
+    file: ./secrets/mongo_user.txt
+  mongo_secret_pass:
+    file: ./secrets/mongo_password.txt
+  rabbitmq_secret_user:
+    file: secrets/rabbitmq_user.txt
+  rabbitmq_secret_pass:
+    file: secrets/rabbitmq_password.txt
+  postgres_secret_user:
+    file: secrets/postgres_user.txt
+  postgres_secret_pass:
+    file: secrets/postgres_password.txt
+  redis_secret_pass:
+    file: secrets/redis_password.txt
+  stackstorm_secret_user:
+    file: secrets/stackstorm_user.txt
+  stackstorm_secret_pass:
+    file: secrets/stackstorm_password.txt
+
+volumes:
+  mongo-volume:
+  postgres-volume:
+  rabbitmq-volume:
+  redis-volume:
+  stackstorm-log-volume:
+
+networks:
+  public:
+    driver: bridge
+  private:
+    driver: bridge
+
diff --git a/images/stackstorm/bin/entrypoint.sh b/images/stackstorm/bin/entrypoint.sh
index 2ba08bf7..2bf0dc23 100755
--- a/images/stackstorm/bin/entrypoint.sh
+++ b/images/stackstorm/bin/entrypoint.sh
@@ -1,7 +1,35 @@
 #!/bin/bash
 
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	unset "$fileVar"
+	echo  $val
+}
+
+st2_user_var=$(file_env 'ST2_USER')
+st2_pass_var=$(file_env 'ST2_PASSWORD')
+rabbitmq_user_var=$(file_env 'RABBITMQ_DEFAULT_USER')
+rabbitmq_pass_var=$(file_env 'RABBITMQ_DEFAULT_PASS')
+redis_pass_var=$(file_env 'REDIS_PASSWORD')
+mongo_user_var=$(file_env 'MONGO_USER')
+mongo_pass_var=$(file_env 'MONGO_PASS')
+postgres_user_var=$(file_env 'POSTGRES_USER')
+postgres_pass_var=$(file_env 'POSTGRES_PASSWORD')
+
 # Create htpasswd file and login to st2 using specified username/password
-htpasswd -b /etc/st2/htpasswd ${ST2_USER} ${ST2_PASSWORD}
+htpasswd -b /etc/st2/htpasswd ${st2_user_var} ${st2_pass_var}
 
 mkdir -p /root/.st2
 
@@ -9,27 +37,29 @@ ROOT_CONF=/root/.st2/config
 
 touch ${ROOT_CONF}
 
-crudini --set ${ROOT_CONF} credentials username ${ST2_USER}
-crudini --set ${ROOT_CONF} credentials password ${ST2_PASSWORD}
+crudini --set ${ROOT_CONF} credentials username ${st2_user_var}
+crudini --set ${ROOT_CONF} credentials password ${st2_pass_var}
 
 ST2_CONF=/etc/st2/st2.conf
 
 crudini --set ${ST2_CONF} mistral api_url http://127.0.0.1:9101
 crudini --set ${ST2_CONF} mistral v2_base_url http://127.0.0.1:8989/v2
 crudini --set ${ST2_CONF} messaging url \
-  amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@${RABBITMQ_HOST}:${RABBITMQ_PORT}
+  amqp://${rabbitmq_user_var}:${rabbitmq_pass_var}@${RABBITMQ_HOST}:${RABBITMQ_PORT}
 crudini --set ${ST2_CONF} coordination url \
-  redis://${REDIS_PASSWORD}@${REDIS_HOST}:${REDIS_PORT}
+  redis://${redis_pass_var}@${REDIS_HOST}:${REDIS_PORT}
 crudini --set ${ST2_CONF} database host ${MONGO_HOST}
 crudini --set ${ST2_CONF} database port ${MONGO_PORT}
+
+
 if [ ! -z ${MONGO_DB} ]; then
   crudini --set ${ST2_CONF} database db_name ${MONGO_DB}
 fi
-if [ ! -z ${MONGO_USER} ]; then
-  crudini --set ${ST2_CONF} database username ${MONGO_USER}
+if [ ! -z ${mongo_user_var} ]; then
+  crudini --set ${ST2_CONF} database username ${mongo_user_var}
 fi
-if [ ! -z ${MONGO_PASS} ]; then
-  crudini --set ${ST2_CONF} database password ${MONGO_PASS}
+if [ ! -z ${mongo_pass_var} ]; then
+  crudini --set ${ST2_CONF} database password ${mongo_pass_var}
 fi
 
 # NOTE: Only certain distros of MongoDB support SSL/TLS
@@ -46,9 +76,9 @@ fi
 MISTRAL_CONF=/etc/mistral/mistral.conf
 
 crudini --set ${MISTRAL_CONF} DEFAULT transport_url \
-  rabbit://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@${RABBITMQ_HOST}:${RABBITMQ_PORT}
+  rabbit://${rabbitmq_user_var}:${rabbitmq_pass_var}@${RABBITMQ_HOST}:${RABBITMQ_PORT}
 crudini --set ${MISTRAL_CONF} database connection \
-  postgresql+psycopg2://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}
+  postgresql+psycopg2://${postgres_user_var}:${postgres_pass_var}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}
 
 # Run custom init scripts
 for f in /entrypoint.d/*; do