diff --git a/readme.md b/readme.md
index 82b0b32..516b0c0 100644
--- a/readme.md
+++ b/readme.md
@@ -29,6 +29,10 @@ To stop all the containers, you can ctrl+c, or
 
     ./scripts/down
 
+To generate secrets for all services
+
+    ./scripts/secrets
+
 ## port forwarding
 
 The caddy service expects to be able to bind to ports 80 and 443
diff --git a/scripts/generate-secrets b/scripts/generate-secrets
new file mode 100755
index 0000000..a0e5470
--- /dev/null
+++ b/scripts/generate-secrets
@@ -0,0 +1,4 @@
+echo generating zitadel secrets; {
+	openssl rand -hex 16 | tr -d '\n' >! secrets/auth/zitadel/MASTER_KEY
+	openssl rand -hex 32 | tr -d '\n' >! secrets/auth/zitadel/STORAGE_PASSWORD
+}
diff --git a/services/secrets/generate-secrets b/services/secrets/generate-secrets
index 914c078..bebe96e 100755
--- a/services/secrets/generate-secrets
+++ b/services/secrets/generate-secrets
@@ -9,5 +9,5 @@ set -o pipefail
 for secret in /secrets/*/*/* ; do
   test -d "$secret" && rmdir "$secret"
   test -s "$secret" && continue
-  openssl rand -hex 64 > $secret
+  openssl rand -hex ${2:-64} > $secret
 done