diff --git a/roles/kubectl/tasks/main.yml b/roles/kubectl/tasks/main.yml
index 3f84c6d..20fe319 100644
--- a/roles/kubectl/tasks/main.yml
+++ b/roles/kubectl/tasks/main.yml
@@ -75,3 +75,9 @@
       client_cert: admin
   loop_control:
     loop_var: service
+
+- name: Create encryption config file
+  template:
+    src: "templates/encryption-config.yaml.j2"
+    dest: "{{k8s_encryption_config_directory}}/encryption-config.yaml"
+    mode: 0600
diff --git a/roles/kubectl/templates/encryption-config.yaml.j2 b/roles/kubectl/templates/encryption-config.yaml.j2
new file mode 100644
index 0000000..bb8eba5
--- /dev/null
+++ b/roles/kubectl/templates/encryption-config.yaml.j2
@@ -0,0 +1,11 @@
+kind: EncryptionConfig
+apiVersion: v1
+resources:
+  - resources:
+      - secrets
+    providers:
+      - aescbc:
+          keys:
+            - name: key1
+              secret: {{k8s_encryption_config_key}}
+      - identity: {}