diff --git a/helmfile/apps/services-external/values-minio.yaml.gotmpl b/helmfile/apps/services-external/values-minio.yaml.gotmpl
index 7b1cfefd..75302763 100644
--- a/helmfile/apps/services-external/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-minio.yaml.gotmpl
@@ -19,6 +19,9 @@ apiIngress:
 
 auth:
   rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
+  existingSecret: {{ .Values.externalSecrets.minio.existingSecret | quote }}
+  rootUserSecretKey: {{ .Values.externalSecrets.minio.rootUserSecretKey | quote }}
+  rootPasswordSecretKey: {{ .Values.externalSecrets.minio.rootPasswordSecretKey | quote }}
 
 commonAnnotations:
   {{ .Values.annotations.servicesExternalMinio.common | toYaml | nindent 2 }}
@@ -222,6 +225,7 @@ provisioning:
           actions:
             - "s3:*"
     {{- end }}
+  {{- if not .Values.externalSecrets.minio.usersExistingSecrets }}
   users:
     - username: {{ .Values.objectstores.migrations.username | quote }}
       password: {{ .Values.secrets.minio.migrationsUser | quote }}
@@ -267,6 +271,9 @@ provisioning:
         - "dovecot-bucket-policy"
       setPolicies: true
     {{- end }}
+  {{- else }}
+  usersExistingSecrets: {{ .Values.externalSecrets.minio.usersExistingSecrets }}
+  {{- end }}
   resources:
     {{ .Values.resources.minio | toYaml | nindent 4 }}
 
diff --git a/helmfile/environments/default/external_secrets.yaml.gotmpl b/helmfile/environments/default/external_secrets.yaml.gotmpl
new file mode 100644
index 00000000..b6532d05
--- /dev/null
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -0,0 +1,12 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+externalSecrets:
+  minio:
+    existingSecret: ~
+    rootUserSecretKey: ~
+    rootPasswordSecretKey: ~
+    usersExistingSecrets: []
+...
\ No newline at end of file