diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf
index 1926114..393a22a 100644
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster/main.tf
@@ -133,7 +133,7 @@ resource "google_container_cluster" "cluster" {
     ]
   }
 
-  # If a var.gsuite_domain_name is non-empty, initialize the cluster with a G Suite security group
+  # If var.gsuite_domain_name is non-empty, initialize the cluster with a G Suite security group
   dynamic "authenticator_groups_config" {
     for_each = [
       for x in [var.gsuite_domain_name] : x if var.gsuite_domain_name != null
@@ -143,6 +143,18 @@ resource "google_container_cluster" "cluster" {
       security_group = "gke-security-groups@${authenticator_groups_config.value}"
     }
   }
+
+  # If var.secrets_encryption_kms_key is non-empty, create ´database_encryption´ -block to encrypt secrets at rest in etcd
+  dynamic "database_encryption" {
+    for_each = [
+      for x in [var.secrets_encryption_kms_key] : x if var.secrets_encryption_kms_key != null
+    ]
+
+    content {
+      state    = "ENCRYPTED"
+      key_name = database_encryption.value
+    }
+  }
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf
index ddaa041..cc16a63 100644
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster/variables.tf
@@ -197,3 +197,9 @@ variable "gsuite_domain_name" {
   type        = string
   default     = null
 }
+
+variable "secrets_encryption_kms_key" {
+  description = "The Cloud KMS key to use for the encryption of secrets in etcd, e.g: projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"
+  type        = string
+  default     = null
+}