diff --git a/config.yml b/config.yml
index 379c12f..81d9e2c 100644
--- a/config.yml
+++ b/config.yml
@@ -12,8 +12,11 @@ verify_tls: true
 # They need to have a full access to the registry.
 # If token authentication service is enabled, it will be auto-discovered and those credentials
 # will be used to obtain access tokens.
+# When the registry_password_file entry is used, the password can be passed as a docker secret 
+# and read from file. This overides the registry_password entry.
 registry_username: user
 registry_password: pass
+# registry_password_file: /run/secrets/registry_password_file
 
 # Event listener token.
 # The same one should be configured on Docker registry as Authorization Bearer token.
diff --git a/main.go b/main.go
index 47c0c22..a2c15eb 100644
--- a/main.go
+++ b/main.go
@@ -26,6 +26,7 @@ type configData struct {
 	VerifyTLS             bool     `yaml:"verify_tls"`
 	Username              string   `yaml:"registry_username"`
 	Password              string   `yaml:"registry_password"`
+	PasswordFile          string   `yaml:"registry_password_file"`
 	EventListenerToken    string   `yaml:"event_listener_token"`
 	EventRetentionDays    int      `yaml:"event_retention_days"`
 	EventDatabaseDriver   string   `yaml:"event_database_driver"`
@@ -86,6 +87,17 @@ func main() {
 			a.config.BasePath = a.config.BasePath[0 : len(a.config.BasePath)-1]
 		}
 	}
+	// Read password from file.
+	if a.config.PasswordFile != "" {
+		if _, err := os.Stat(a.config.PasswordFile); os.IsNotExist(err) {
+			panic(err)
+		}
+		passwordBytes, err := ioutil.ReadFile(a.config.PasswordFile)
+		if err != nil {
+			panic(err)
+		}
+		a.config.Password = string(passwordBytes[:])
+	}
 
 	// Init registry API client.
 	a.client = registry.NewClient(a.config.RegistryURL, a.config.VerifyTLS, a.config.Username, a.config.Password)