diff --git a/karakeep/Dockerfile b/karakeep/Dockerfile
index 3f4a07a65..4e1945b10 100644
--- a/karakeep/Dockerfile
+++ b/karakeep/Dockerfile
@@ -36,7 +36,7 @@ ENV \
     DISABLE_NEW_RELEASE_CHECK=true \
     BROWSER_WEB_URL="http://127.0.0.1:9222" \
     MEILI_ADDR="http://127.0.0.1:7700" \
-    MEILI_MASTER_KEY="0uIHQXWthY2L2yqCWGVGu2axN+l4qcDEc+Of/7e8X7bEyZ8k" \
+    MEILI_MASTER_KEY="" \
     MEILI_NO_ANALYTICS=true \
     XDG_CACHE_HOME="/data/cache"
 
@@ -107,6 +107,8 @@ RUN chmod 777 /ha_entrypoint.sh /ha_entrypoint_modif.sh && /ha_entrypoint_modif.
 ADD "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/bashio-standalone.sh" "/.bashio-standalone.sh"
 RUN chmod 777 /.bashio-standalone.sh
 
+RUN sed -i "s|/usr/bin/env|/usr/bin/with-contenv|g" /etc/cont-init.d/*
+
 ############
 # 5 Labels #
 ############
diff --git a/karakeep/README.md b/karakeep/README.md
index 51f0be2f3..8145f7d77 100644
--- a/karakeep/README.md
+++ b/karakeep/README.md
@@ -38,7 +38,7 @@ Webui can be found at `<your-ip>:3000`.
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `NEXTAUTH_SECRET` | password | **Required** | Secret key for authentication (generate a long random string). |
+| `NEXTAUTH_SECRET` | password | | Secret key for authentication (auto-generated if left blank). |
 | `NEXTAUTH_URL` | str | | Public URL used by NextAuth (optional). |
 | `DISABLE_SIGNUPS` | bool | `false` | Disable new account signups. |
 | `MAX_ASSET_SIZE_MB` | int | `4` | Max asset upload size. |
@@ -64,7 +64,7 @@ Webui can be found at `<your-ip>:3000`.
 | `CRAWLER_VIDEO_DOWNLOAD_TIMEOUT_SEC` | int | | Video download timeout. |
 | `CRAWLER_ENABLE_ADBLOCKER` | bool | `true` | Enable ad blocking in the crawler. |
 | `CHROME_EXTENSIONS_DIR` | str | `/share/karakeep/extensions` | Host-mounted extensions directory for headless Chromium. |
-| `MEILI_MASTER_KEY` | password | | Meilisearch master key. |
+| `MEILI_MASTER_KEY` | password | | Meilisearch master key (auto-generated if left blank). |
 | `MEILI_ADDR` | str | | Meilisearch URL. |
 | `BROWSER_WEB_URL` | str | | Chromium remote debugging URL. |
 | `DATA_DIR` | str | | Data directory (leave default). |
@@ -97,8 +97,7 @@ comparison to installing any other Hass.io add-on.
 1. [Add my Hass.io add-ons repository][repository] to your Hass.io instance. [![Add repository on my Home Assistant][repository-badge]][repository-url]
 1. Install this add-on.
 1. Click the `Save` button to store your configuration.
-1. Set the `NEXTAUTH_SECRET` option to a secure random string.
-1. Start the add-on.
+1. Start the add-on (secrets are auto-generated if left blank).
 1. Check the logs of the add-on to see if everything went well.
 1. Open the webUI and complete the onboarding.
 
diff --git a/karakeep/config.yaml b/karakeep/config.yaml
index d1e51dbd4..0a5f7bb85 100644
--- a/karakeep/config.yaml
+++ b/karakeep/config.yaml
@@ -8,7 +8,7 @@ environment:
   DATA_DIR: /data
   DISABLE_NEW_RELEASE_CHECK: "true"
   MEILI_ADDR: http://127.0.0.1:7700
-  MEILI_MASTER_KEY: 0uIHQXWthY2L2yqCWGVGu2axN+l4qcDEc+Of/7e8X7bEyZ8k
+  MEILI_MASTER_KEY: ""
   MEILI_NO_ANALYTICS: "true"
   XDG_CACHE_HOME: /data/cache
 image: ghcr.io/alexbelgium/karakeep-{arch}
@@ -30,8 +30,8 @@ options:
   DATA_DIR: /data
   MAX_ASSET_SIZE_MB: 4
   MEILI_ADDR: http://127.0.0.1:7700
-  MEILI_MASTER_KEY: 0uIHQXWthY2L2yqCWGVGu2axN+l4qcDEc+Of/7e8X7bEyZ8k
-  NEXTAUTH_SECRET: jnE2An0WyIKZvO+WgKJrn8WPW+c3DzV+c9ntBp8CdobTOmpJ
+  MEILI_MASTER_KEY: ""
+  NEXTAUTH_SECRET: ""
   TZ: Etc/UTC
 ports:
   3000/tcp: 3000
@@ -46,9 +46,9 @@ schema:
   DATA_DIR: str?
   DISABLE_SIGNUPS: bool
   MEILI_ADDR: str?
-  MEILI_MASTER_KEY: password
+  MEILI_MASTER_KEY: password?
   MAX_ASSET_SIZE_MB: int?
-  NEXTAUTH_SECRET: password
+  NEXTAUTH_SECRET: password?
   NEXTAUTH_URL: str?
   OCR_LANGS: str?
   OCR_CONFIDENCE_THRESHOLD: int(0,100)?
diff --git a/karakeep/rootfs/etc/cont-init.d/91-secrets.sh b/karakeep/rootfs/etc/cont-init.d/91-secrets.sh
new file mode 100755
index 000000000..2d73f9d9e
--- /dev/null
+++ b/karakeep/rootfs/etc/cont-init.d/91-secrets.sh
@@ -0,0 +1,33 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+set -e
+
+generate_secret() {
+  tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 64
+}
+
+set_option() {
+  local key="$1"
+  local value="$2"
+
+  bashio::addon.option "${key}" "${value}"
+  export "${key}=${value}"
+
+  if [ -d /var/run/s6/container_environment ]; then
+    printf "%s" "${value}" > "/var/run/s6/container_environment/${key}"
+  fi
+}
+
+for key in MEILI_MASTER_KEY NEXTAUTH_SECRET; do
+  if bashio::config.has_value "${key}"; then
+    value="$(bashio::config "${key}")"
+    export "${key}=${value}"
+    if [ -d /var/run/s6/container_environment ]; then
+      printf "%s" "${value}" > "/var/run/s6/container_environment/${key}"
+    fi
+  else
+    bashio::log.warning "${key} is not set. Generating a new value and storing it in addon options."
+    value="$(generate_secret)"
+    set_option "${key}" "${value}"
+  fi
+done