diff --git a/README.md b/README.md
index 239a905..9c88358 100644
--- a/README.md
+++ b/README.md
@@ -295,6 +295,11 @@ The contents of `/path/to/certs` should contain the certificates and private key
 
 If you are running the container in a virtualized environment (Hyper-V, VirtualBox, etc...), /path/to/certs must exist in that environment or be made accessible to that environment. By default, Docker is not able to mount directories on the host machine to containers running in a virtual machine.
 
+#### Passphrase
+
+Optionally you can set passphrase for certificate by creating `.pw` file with passphrase in `/path/to/certs` directory.
+For example `foo.bar.com.pw`.
+
 #### Diffie-Hellman Groups
 
 [RFC7919 groups](https://datatracker.ietf.org/doc/html/rfc7919#appendix-A) with key lengths of 2048, 3072, and 4096 bits are [provided by `nginx-proxy`](https://github.com/nginx-proxy/nginx-proxy/dhparam). The ENV `DHPARAM_BITS` can be set to `2048` or `3072` to change from the default 4096-bit key. The DH key file will be located in the container at `/etc/nginx/dhparam/dhparam.pem`. Mounting a different `dhparam.pem` file at that location will override the RFC7919 key.
diff --git a/nginx.tmpl b/nginx.tmpl
index e8a555d..7e90e3c 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -249,6 +249,9 @@ server {
 	ssl_session_tickets off;
 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
+	{{ if (exists "/etc/nginx/certs/default.pw") }}
+	ssl_password_file /etc/nginx/certs/default.pw;
+	{{ end }}
 }
 {{ end }}
 
@@ -362,6 +365,10 @@ server {
 	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
 	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
 
+	{{ if (exists (printf "/etc/nginx/certs/%s.pw" $cert)) }}
+	ssl_password_file {{ printf "/etc/nginx/certs/%s.pw" $cert }};
+	{{ end }}
+
 	{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
 	{{ end }}
@@ -472,6 +479,9 @@ server {
 
 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
+	{{ if (exists "/etc/nginx/certs/default.pw") }}
+	ssl_password_file /etc/nginx/certs/default.pw;
+	{{ end }}
 }
 {{ end }}