diff --git a/charts/kellnr/templates/_helpers.tpl b/charts/kellnr/templates/_helpers.tpl
index 77d4207..5b8239b 100644
--- a/charts/kellnr/templates/_helpers.tpl
+++ b/charts/kellnr/templates/_helpers.tpl
@@ -80,10 +80,10 @@ Cookie signing key used by Kellnr.
 Note: Helm templates don't have a "bytes" unit here; we can only validate string length.
 */}}
 {{- define "kellnr.cookieSigningKey" -}}
-{{- $key := default "" .Values.kellnr.registry.cookieSigningKey -}}
+{{- $key := default "" .Values.kellnr.registry.cookieSecret.cookieSigningKey -}}
 {{- if ne $key "" -}}
   {{- if lt (len $key) 64 -}}
-    {{- fail "kellnr.registry.cookieSigningKey must be at least 64 characters" -}}
+    {{- fail "kellnr.registry.cookieSecret.cookieSigningKey must be at least 64 characters" -}}
   {{- end -}}
   {{- $key -}}
 {{- else -}}
@@ -139,10 +139,6 @@ KELLNR_REGISTRY__TOKEN_DB_RETRY_COUNT: {{ .Values.kellnr.registry.token.db.retry
 {{ if not (eq .Values.kellnr.registry.token.db.retryDelayMs nil) }}
 KELLNR_REGISTRY__TOKEN_DB_RETRY_DELAY_MS: {{ .Values.kellnr.registry.token.db.retryDelayMs | quote }}
 {{ end }}
-{{ $cookieKey := include "kellnr.cookieSigningKey" . }}
-{{ if ne $cookieKey "" }}
-KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ $cookieKey | quote }}
-{{ end }}
 {{ if .Values.kellnr.registry.requiredCrateFields }}
 KELLNR_REGISTRY__REQUIRED_CRATE_FIELDS: {{ .Values.kellnr.registry.requiredCrateFields | quote }}
 {{ end }}
diff --git a/charts/kellnr/templates/deployment.yaml b/charts/kellnr/templates/deployment.yaml
index 3e37772..574f64c 100644
--- a/charts/kellnr/templates/deployment.yaml
+++ b/charts/kellnr/templates/deployment.yaml
@@ -90,6 +90,11 @@ spec:
             valueFrom:
               secretKeyRef: {{ toYaml .Values.kellnr.postgres.pwdSecretRef | nindent 16 }}
           {{- end }}
+          {{- if .Values.kellnr.registry.cookieSecret.enabled }}
+          - name: KELLNR_REGISTRY__COOKIE_SECRET
+            valueFrom:
+              secretKeyRef: {{ toYaml .Values.kellnr.registry.cookieSecret.cookieSecretRef | nindent 16 }}
+          {{- end }}
           {{- if and .Values.kellnr.oauth2.enabled .Values.kellnr.oauth2.clientSecretRef.name }}
           - name: KELLNR_OAUTH2__CLIENT_SECRET
             valueFrom:
diff --git a/charts/kellnr/templates/secret-cookie.yaml b/charts/kellnr/templates/secret-cookie.yaml
new file mode 100644
index 0000000..49a7a08
--- /dev/null
+++ b/charts/kellnr/templates/secret-cookie.yaml
@@ -0,0 +1,9 @@
+{{- $cookieKey := include "kellnr.cookieSigningKey" . -}}
+{{ if and .Values.kellnr.registry.cookieSecret.enabled (not (empty $cookieKey)) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.kellnr.registry.cookieSecret.cookieSecretRef.name }}
+stringData:
+  {{ .Values.kellnr.registry.cookieSecret.cookieSecretRef.key }}: {{ $cookieKey | quote }}
+{{- end }}
diff --git a/charts/kellnr/values.yaml b/charts/kellnr/values.yaml
index 0e91657..d08a30f 100644
--- a/charts/kellnr/values.yaml
+++ b/charts/kellnr/values.yaml
@@ -88,8 +88,13 @@ kellnr:
 
     # Used to sign the session cookie. Must be at least 64 bytes.
     # If empty, a random 64-byte value is generated by the chart (when `secret.enabled: true`).
-    # When `secret.enabled: false`, you should set this to a fixed value.
-    cookieSigningKey: ""
+    # When `secret.enabled: false`, set cookieSecret.enable to true and set cookieSecret.cookieSigningKey to a fixed value.
+    cookieSecret:
+      enabled: false
+      cookieSigningKey: ""
+      cookieSecretRef:
+        name: kellnr-cookie-secret
+        key: cookieSigningKey
 
   docs:
     enabled: null # false