diff --git a/cookbooks/vault/setup.rb b/cookbooks/vault/setup.rb
index 45923c0..39d71a4 100644
--- a/cookbooks/vault/setup.rb
+++ b/cookbooks/vault/setup.rb
@@ -9,6 +9,16 @@ template '/etc/vault.d/vault.hcl' do
   notifies :restart, 'service[vault]'
 end
 
+encrypted_remote_file '/etc/vault.d/vault.env' do
+  owner 'vault'
+  group 'vault'
+  mode '600'
+  source   'files/etc/vault.d/vault.env'
+  password ENV['ITAMAE_PASSWORD']
+
+  notifies :restart, 'service[vault]'
+end
+
 directory '/etc/vault.d/policies' do
   owner 'vault'
   group 'vault'