diff --git a/superset/helm/superset/Chart.yaml b/superset/helm/superset/Chart.yaml
index 5ef3f3b90..1c94ec6ff 100644
--- a/superset/helm/superset/Chart.yaml
+++ b/superset/helm/superset/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: superset
 description: A Helm chart for superset on plural
 type: application
-version: 0.2.10
+version: 0.2.11
 appVersion: "2.1.0"
 dependencies:
 - name: superset
diff --git a/superset/helm/superset/templates/reencrypt-secrets.yaml b/superset/helm/superset/templates/reencrypt-secrets.yaml
new file mode 100644
index 000000000..c2ac800f3
--- /dev/null
+++ b/superset/helm/superset/templates/reencrypt-secrets.yaml
@@ -0,0 +1,64 @@
+{{ if .Values.reencrypt }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    job-name: superset-reencrypt-secrets
+  name: superset-reencrypt-secrets
+spec:
+  backoffLimit: 6
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        job-name: superset-reencrypt-secrets
+      name: superset-reencrypt-secrets
+    spec:
+      containers:
+      - command:
+        -  /bin/sh
+        - -c
+        - "superset re-encrypt-secrets"
+        env:
+        - name: DB_PASS
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: superset.plural-superset.credentials.postgresql.acid.zalan.do
+        envFrom:
+        - secretRef:
+            name: superset-env
+        image: dkr.plural.sh/superset/apache/superset:2.1.0-plural1.1.1
+        imagePullPolicy: Always
+        name: superset-init-db
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /app/pythonpath
+          name: superset-config
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      initContainers:
+      - command:
+        - /bin/sh
+        - -c
+        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -timeout 120s
+        envFrom:
+        - secretRef:
+            name: superset-env
+        image: jwilder/dockerize:latest
+        imagePullPolicy: IfNotPresent
+        name: wait-for-postgres
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      restartPolicy: Never
+      securityContext:
+        runAsUser: 0
+      volumes:
+      - name: superset-config
+        secret:
+          defaultMode: 420
+          secretName: superset-config
+{{ end }}
\ No newline at end of file
diff --git a/superset/helm/superset/values.yaml b/superset/helm/superset/values.yaml
index e0f0d6089..c7f7f34d7 100644
--- a/superset/helm/superset/values.yaml
+++ b/superset/helm/superset/values.yaml
@@ -109,6 +109,7 @@ configOverlays:
     - path: ['superset', 'superset', 'redis', 'master', 'resources', 'requests', 'memory']
 
 superset:
+  reencrypt: true
   image:
     repository: dkr.plural.sh/superset/apache/superset
     tag: 2.1.0-plural1.1.1
diff --git a/superset/helm/superset/values.yaml.tpl b/superset/helm/superset/values.yaml.tpl
index d95bc0163..3777b7b6d 100644
--- a/superset/helm/superset/values.yaml.tpl
+++ b/superset/helm/superset/values.yaml.tpl
@@ -9,7 +9,12 @@ global:
     - description: superset web ui
       url: {{ .Values.hostname }}
 
+{{ $secretKey := dedupe . "superset.secretKey" (randAlphaNum 26) }}
+secretKey: {{ $secretKey }}
+
 superset:
+  extraSecretEnv:
+    SUPERSET_SECRET_KEY: {{ $secretKey }}
   init:
     adminUser:
       username: {{ .Values.username }}
@@ -83,5 +88,8 @@ superset:
       # force users to re-auth after 1d
       PERMANENT_SESSION_LIFETIME = 60 * 60 * 24
 
+      PREVIOUS_SECRET_KEY = "thisISaSECRET_1234"
+      SECRET_KEY = "{{ $secretKey }}"
+
       ENABLE_PROXY_FIX = True
   {{ end }}
\ No newline at end of file