diff --git a/docs/external-secrets.md b/docs/external-secrets.md
new file mode 100644
index 00000000..c3bf46bb
--- /dev/null
+++ b/docs/external-secrets.md
@@ -0,0 +1,40 @@
+<!--
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>External Secrets</h1>
+
+This document covers how to utilise external secrets and special requirements.
+
+<!-- TOC -->
+* [General](#general)
+* [Components](#components)
+  * [MinIO](#minio)
+<!-- TOC -->
+
+# General
+
+For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
+
+The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
+
+# Components
+
+This section covers information and special requirements to external secrets that some Helm Charts expect.
+
+## MinIO
+
+Like described in the [upstream `values.yaml`](https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml#L1595) credentials and information about a user in external secrets listed in `usersExistingSecrets` have to be formatted as follows:
+
+```yaml
+stringData:
+  username1: |
+    username=test-username
+    password=test-password
+    disabled=false
+    policies=readwrite,consoleAdmin,diagnostics
+    setPolicies=fa
+```
+
+Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.
diff --git a/docs/security.md b/docs/security.md
index 3dd47fbb..fd53137e 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -1,4 +1,5 @@
 <!--
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
@@ -8,9 +9,10 @@ SPDX-License-Identifier: Apache-2.0
 This document covers the current status of security measures.
 
 <!-- TOC -->
-* [Helm chart trust chain](#helm-chart-trust-chain)
-* [Kubernetes security enforcements](#kubernetes-security-enforcements)
-* [Network policies](#network-policies)
+* [Helm Chart Trust Chain](#helm-chart-trust-chain)
+* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
+* [NetworkPolicies](#networkpolicies)
+* [External Secrets](#external-secrets)
 <!-- TOC -->
 
 # Helm chart trust chain
@@ -49,3 +51,9 @@ security:
   otterizeIntents:
     enabled: true
 ```
+
+# External Secrets
+
+We urge you to use external secrets for your confidential credentials.
+
+For further explanation and documentation please visit [External Secrets](./docs/external-secrets.md).