diff --git a/Cargo.lock b/Cargo.lock
index 4910602..5f894f5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1202,6 +1202,15 @@ dependencies = [
  "version_check",
 ]
 
+[[package]]
+name = "figment_file_provider_adapter"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c33106424fdbb9b1fd89c18072ba94666496a8a468178911b832a3e406988500"
+dependencies = [
+ "figment",
+]
+
 [[package]]
 name = "firestorm"
 version = "0.5.1"
@@ -2111,6 +2120,7 @@ dependencies = [
  "cron",
  "derive_builder",
  "figment",
+ "figment_file_provider_adapter",
  "futures",
  "futures-util",
  "hmac 0.10.1",
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 5536b46..6e7e57f 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -1,20 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-for SECRET in LLDAP_JWT_SECRET LLDAP_LDAP_USER_PASS LLDAP_SMTP_OPTIONS__PASSWORD; do
-    FILE_VAR="${SECRET}_FILE"
-    SECRET_FILE="${!FILE_VAR:-}"
-    if [[ -n "$SECRET_FILE" ]]; then
-        if [[ -f "$SECRET_FILE" ]]; then
-            declare "$SECRET=$(cat $SECRET_FILE)"
-            export "$SECRET"
-            echo "[entrypoint] Set $SECRET from $SECRET_FILE"
-        else
-            echo "[entrypoint] Could not read contents of $SECRET_FILE (specified in $FILE_VAR)" >&2
-        fi
-    fi
-done
-
 CONFIG_FILE=/data/lldap_config.toml
 
 if [[ ( ! -w "/data" ) ]] || [[ ( ! -d "/data" ) ]]; then
diff --git a/server/Cargo.toml b/server/Cargo.toml
index 1ef8764..9fb2c77 100644
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -19,6 +19,7 @@ base64 = "0.13"
 bincode = "1.3"
 cron = "*"
 derive_builder = "0.10.2"
+figment_file_provider_adapter = "0.1"
 futures = "*"
 futures-util = "*"
 hmac = "0.10"
diff --git a/server/src/infra/configuration.rs b/server/src/infra/configuration.rs
index 9a6f39a..63bce2f 100644
--- a/server/src/infra/configuration.rs
+++ b/server/src/infra/configuration.rs
@@ -279,11 +279,13 @@ where
         overrides.general_config().config_file
     );
 
+    use figment_file_provider_adapter::FileAdapter;
+    let ignore_keys = ["key_file", "cert_file"];
     let mut config: Configuration = Figment::from(Serialized::defaults(
         ConfigurationBuilder::default().private_build().unwrap(),
     ))
-    .merge(Toml::file(config_file))
-    .merge(Env::prefixed("LLDAP_").split("__"))
+    .merge(FileAdapter::wrap(Toml::file(config_file)).ignore(&ignore_keys))
+    .merge(FileAdapter::wrap(Env::prefixed("LLDAP_").split("__")).ignore(&ignore_keys))
     .extract()?;
 
     overrides.override_config(&mut config);