diff --git a/linux/k3s/hetzner_csi_driver/defaults/main.yml b/linux/k3s/hetzner_csi_driver/defaults/main.yml
index 5b06393..36a57ca 100644
--- a/linux/k3s/hetzner_csi_driver/defaults/main.yml
+++ b/linux/k3s/hetzner_csi_driver/defaults/main.yml
@@ -1,2 +1,3 @@
 hetzner_csi_version: 2.1.0
 hetzner_csi_cloud_token: SOME_TOKEN
+hetzner_csi_encryption_passphrase: SOME_PASSPHRASE
diff --git a/linux/k3s/hetzner_csi_driver/tasks/main.yml b/linux/k3s/hetzner_csi_driver/tasks/main.yml
index 878bc11..e5dfce7 100644
--- a/linux/k3s/hetzner_csi_driver/tasks/main.yml
+++ b/linux/k3s/hetzner_csi_driver/tasks/main.yml
@@ -3,6 +3,11 @@
     apply: yes
     template: hcloud-secret.yml
 
+- name: apply volume encryption secret
+  kubernetes.core.k8s:
+    apply: yes
+    template: encryption-secret.yml
+
 - name: Create directory for manifest storage
   ansible.builtin.file:
     path: "{{ hetzner_csi_working_dir }}"
@@ -20,6 +25,16 @@
     apply: yes
     src: "{{ hetzner_csi_manifest_path }}"
 
+- name: patch hetzner storageclass to use encrypted volumes
+  kubernetes.core.k8s:
+    state: patched
+    kind: StorageClass
+    name: hcloud-volumes
+    definition:
+      parameters:
+        csi.storage.k8s.io/node-publish-secret-name: encryption
+        csi.storage.k8s.io/node-publish-secret-namespace: default
+
 - name: mark local storage as non default
   kubernetes.core.k8s:
     state: patched
diff --git a/linux/k3s/hetzner_csi_driver/templates/encryption-secret.yml b/linux/k3s/hetzner_csi_driver/templates/encryption-secret.yml
new file mode 100644
index 0000000..58d8662
--- /dev/null
+++ b/linux/k3s/hetzner_csi_driver/templates/encryption-secret.yml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: encryption-secret
+  namespace: kube-system
+stringData:
+  encryption-passphrase: {{ hetzner_csi_encryption_passphrase }}