diff --git a/charts/garm/templates/_credentials.tpl b/charts/garm/templates/_credentials.tpl
index e93bd03..c899cfc 100644
--- a/charts/garm/templates/_credentials.tpl
+++ b/charts/garm/templates/_credentials.tpl
@@ -44,10 +44,9 @@ Get Gitea token - either user-provided or generated
 {{- end -}}
 
 {{- define "garm.dbPassphrase" -}}
-{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-config" ( include "garm.fullname" . )) -}}
-{{- if and $secret ((fromToml (index $secret.data "config.toml" | b64dec)).database.passphrase) -}}
-{{- $another := fromToml (index $secret.data "config.toml" | b64dec) -}}
-{{ $another.database.passphrase }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-db-credentials" ( include "garm.fullname" . )) -}}
+{{- if and $secret (index $secret.data "passphrase" | b64dec) -}}
+{{- (index $secret.data "passphrase" | b64dec) -}}
 {{- else -}}
 {{- include "garm.randomString" . -}}
 {{- end -}}
diff --git a/charts/garm/templates/secrets.yaml b/charts/garm/templates/secrets.yaml
index 16fb40f..044a1ef 100644
--- a/charts/garm/templates/secrets.yaml
+++ b/charts/garm/templates/secrets.yaml
@@ -14,6 +14,22 @@ stringData:
   GARM_URL: {{ printf "https://%s" (index .Values.ingress.hosts 0).host | quote }}
   GIT_URL: {{ .Values.credentials.gitea.url | quote }}
 ---
+{{- $secretName := printf "%s%s" (include "garm.fullname" .)  "-db-credentials" -}}
+{{- $secretExists := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+
+{{- if not $secretExists -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+stringData:
+  passphrase: {{- include "garm.randomString" . -}}
+{{- end -}}
+---
 apiVersion: v1
 kind: Secret
 metadata: