diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 8ca3c63..eb03027 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -21,4 +21,7 @@ repos:
     rev: v0.1.17
     hooks:
       - id: kubeconform-helm
-        args: [--strict]
+        args:
+          - --summary
+          - --strict
+          - --values-dir postal/ci
diff --git a/postal/README.md b/postal/README.md
index 3a6cb98..6529bae 100644
--- a/postal/README.md
+++ b/postal/README.md
@@ -37,7 +37,9 @@ A Helm chart for Kubernetes
 | global.existingSecretName | string | `""` |  |
 | global.maximumDeliveryAttempts | int | `18` |  |
 | global.maximumHoldExpiryDays | int | `7` |  |
+| global.railsSecretKey | string | `""` | the secret key used to sign and encrypt cookies and session data in the application. Generate it using openssl rand -hex 64 |
 | global.secretName | string | `"postal"` |  |
+| global.signingKey | string | `""` | key used to sign emails. Generate it using openssl genrsa -out path/to/signing.key 2048 |
 | global.smtpHostname | string | `"localhost"` |  |
 | global.smtpRelays | string | `""` |  |
 | global.spamFailureThreshold | int | `20` |  |
diff --git a/postal/ci/base-values.yaml b/postal/ci/base-values.yaml
index 58d364f..d8b6d61 100644
--- a/postal/ci/base-values.yaml
+++ b/postal/ci/base-values.yaml
@@ -1,2 +1,34 @@
+global:
+  railsSecretKey: 61a476b314ca633b67734951b4565f1f27489195e3ba0be5b569e4385d776cd126c3000df6c046de338719c14d36c8a7867140a741e76b6ea3d4a15b11c6af94
+  signingKey: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7FSCnvzdKiA7d
+    +q47EXn4gXx96+maosDtg49W+AF6owNilF/ptAIE8Cm+NLIOZ/bQnIL1n1yP72iN
+    rPtJylDNfoYJMyzCBmQib/8RqBVCDXnR0KbrMoogeofAVbUY75iw+B+S2ZbGv97I
+    A+5k5r5feZWvzoRHSNk5Bn11/Eg1DhnIvqtvPtKmaHetJAVBO299cB+mALUzQE5X
+    KLU8EVEAPF6AGaEtDuHGdvkn3gNGlaiEQ46/MsEWoLSSJxCaxyImZTtYFuTK0lQM
+    bS3a8lL/Wl0RuMX0XLCNJim3QYQPxmghieK/khXCKKaslHIIMEkCiPBkmot/Mipw
+    iu9ih531AgMBAAECggEAU6puMTbdxlI0u+dJFheJwa4++52Oml5hA5eLeixtlOfk
+    MqkCf+TF5ml1cZ/lZXXvNnpYQvqjDafWzU1oECcPnecQkHq3cIolLBWEL+RIpYKb
+    UU8L5zFx/nZt0YFC/UTht3svu5/dw0K5oh/H9I4Q42ffnoEwPSUCKHOTljleHYNN
+    WQSlxo+j1XETmVcJBASJ977aXFDOyxL+/4qFLGRq7J9ru9VWYK2VZ5mXx22tdnXu
+    NIu11FD3SnFduKSpS1T0ZX51b680w+i4cy5mjwC1H0u4yYYSvVpMxOjxWqrqInr2
+    hnmzGKKwFQX/tlZlJ3Fsi234NvAbd0ZCUUTOaZ33fQKBgQDvCaUTEGAkb9TlPcN3
+    L9KvQvxVCtK0Fg537vDZtQMxAdyVZDR8zFeytat4XldXKf7/7XIwt1RSVny04wPn
+    4jWaEcYlw4H+UHDPDq8sawp3/k3vonorh1eM4ZIlzOWyMUBEMDn5X3XEe+n+K89d
+    R16Lv8oGCF9zc+BHpn0vVwRCjwKBgQDIW6qQVT/f8mMIsCWVyfJ+j0rRHuLTTXIs
+    5ECn2tuTV2J2xnHV/EBgTyjPhR0DBNg7Q4R5XF5PNOXeY1g2jDraQnzWPIX6UmYX
+    3ye9PkPdIqJWWNm3nOcBEirpGFxsmQgDj1gFYBhUCXpepBdfl4ssWPzzfRiUj2fZ
+    GRvXfBbJOwKBgQCp5A36HbJnU0BZ6erp5Ah23kIfY0DcE60W2rE92mQ5SZxwZTbU
+    2BsgffQv6cVjwwpk9WsqarI4jxW1LoARJ/p21Vkib/ENQjjbQRGJnU5keE8GGVGB
+    bIDyNUQ9L4K1gkGt9STPM2StUHC/YH3SSy5MXvSEEyFcGih2ZEMnCU6SywKBgGUt
+    XTGryyjFF1vA0AoXRBzDMa3u4e6AsoKW9UuOismaHEAMsFm2G7BG6T36Y48tuCAd
+    VV2P1pQ7C0XFdzt8jw+++ZmaULH7QFEXwNKhCdY28jGWhsNhOYph6UdypOG2WcSq
+    c3GreD2f16rJRIBiX8aSXZJ7/piu3mtUcancoQkXAoGAceHeeqfkgzBIaQ/eyp1/
+    1Ri30uMr2VAEr8SRqPHk940cZVSoPjqdvDph4NpDb2h0Sch1A93K2QH5fKeoTwWb
+    MtOHJv8UieLT+5AtJp9/1VDI7bTnpj8y9GzYcKKPkiDMa6FOJdBj/qyHATIGyHA8
+    wwoL2dTdesL4u1/nRHp19lU=
+    -----END PRIVATE KEY-----
+
 image:
   registry: fake.registry
diff --git a/postal/ci/empty-values.yaml b/postal/ci/empty-values.yaml
deleted file mode 100644
index e69de29..0000000
diff --git a/postal/ci/ingress-values.yaml b/postal/ci/ingress-values.yaml
index 1b7e539..2efe201 100644
--- a/postal/ci/ingress-values.yaml
+++ b/postal/ci/ingress-values.yaml
@@ -1,3 +1,35 @@
+global:
+  railsSecretKey: 61a476b314ca633b67734951b4565f1f27489195e3ba0be5b569e4385d776cd126c3000df6c046de338719c14d36c8a7867140a741e76b6ea3d4a15b11c6af94
+  signingKey: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7FSCnvzdKiA7d
+    +q47EXn4gXx96+maosDtg49W+AF6owNilF/ptAIE8Cm+NLIOZ/bQnIL1n1yP72iN
+    rPtJylDNfoYJMyzCBmQib/8RqBVCDXnR0KbrMoogeofAVbUY75iw+B+S2ZbGv97I
+    A+5k5r5feZWvzoRHSNk5Bn11/Eg1DhnIvqtvPtKmaHetJAVBO299cB+mALUzQE5X
+    KLU8EVEAPF6AGaEtDuHGdvkn3gNGlaiEQ46/MsEWoLSSJxCaxyImZTtYFuTK0lQM
+    bS3a8lL/Wl0RuMX0XLCNJim3QYQPxmghieK/khXCKKaslHIIMEkCiPBkmot/Mipw
+    iu9ih531AgMBAAECggEAU6puMTbdxlI0u+dJFheJwa4++52Oml5hA5eLeixtlOfk
+    MqkCf+TF5ml1cZ/lZXXvNnpYQvqjDafWzU1oECcPnecQkHq3cIolLBWEL+RIpYKb
+    UU8L5zFx/nZt0YFC/UTht3svu5/dw0K5oh/H9I4Q42ffnoEwPSUCKHOTljleHYNN
+    WQSlxo+j1XETmVcJBASJ977aXFDOyxL+/4qFLGRq7J9ru9VWYK2VZ5mXx22tdnXu
+    NIu11FD3SnFduKSpS1T0ZX51b680w+i4cy5mjwC1H0u4yYYSvVpMxOjxWqrqInr2
+    hnmzGKKwFQX/tlZlJ3Fsi234NvAbd0ZCUUTOaZ33fQKBgQDvCaUTEGAkb9TlPcN3
+    L9KvQvxVCtK0Fg537vDZtQMxAdyVZDR8zFeytat4XldXKf7/7XIwt1RSVny04wPn
+    4jWaEcYlw4H+UHDPDq8sawp3/k3vonorh1eM4ZIlzOWyMUBEMDn5X3XEe+n+K89d
+    R16Lv8oGCF9zc+BHpn0vVwRCjwKBgQDIW6qQVT/f8mMIsCWVyfJ+j0rRHuLTTXIs
+    5ECn2tuTV2J2xnHV/EBgTyjPhR0DBNg7Q4R5XF5PNOXeY1g2jDraQnzWPIX6UmYX
+    3ye9PkPdIqJWWNm3nOcBEirpGFxsmQgDj1gFYBhUCXpepBdfl4ssWPzzfRiUj2fZ
+    GRvXfBbJOwKBgQCp5A36HbJnU0BZ6erp5Ah23kIfY0DcE60W2rE92mQ5SZxwZTbU
+    2BsgffQv6cVjwwpk9WsqarI4jxW1LoARJ/p21Vkib/ENQjjbQRGJnU5keE8GGVGB
+    bIDyNUQ9L4K1gkGt9STPM2StUHC/YH3SSy5MXvSEEyFcGih2ZEMnCU6SywKBgGUt
+    XTGryyjFF1vA0AoXRBzDMa3u4e6AsoKW9UuOismaHEAMsFm2G7BG6T36Y48tuCAd
+    VV2P1pQ7C0XFdzt8jw+++ZmaULH7QFEXwNKhCdY28jGWhsNhOYph6UdypOG2WcSq
+    c3GreD2f16rJRIBiX8aSXZJ7/piu3mtUcancoQkXAoGAceHeeqfkgzBIaQ/eyp1/
+    1Ri30uMr2VAEr8SRqPHk940cZVSoPjqdvDph4NpDb2h0Sch1A93K2QH5fKeoTwWb
+    MtOHJv8UieLT+5AtJp9/1VDI7bTnpj8y9GzYcKKPkiDMa6FOJdBj/qyHATIGyHA8
+    wwoL2dTdesL4u1/nRHp19lU=
+    -----END PRIVATE KEY-----
+
 ingress:
   enabled: true
   className: "nginx"
diff --git a/postal/templates/secret.yaml b/postal/templates/secret.yaml
index c0b5535..fa6f083 100644
--- a/postal/templates/secret.yaml
+++ b/postal/templates/secret.yaml
@@ -12,6 +12,6 @@ metadata:
   {{- end }}
 data:
   mariadb-password: {{ .Values.mariadb.auth.password | b64enc | quote }}
-  signing-key: {{ $key | b64enc | quote }}
-  rails-secret-key: {{ $key | b64enc | quote }}
+  signing-key: {{ .Values.global.signingKey | required "You must provide a global.signingKey value" | b64enc | quote }}
+  rails-secret-key: {{ .Values.global.railsSecretKey | required "You must provide a global.railsSecretKey value" | b64enc | quote }}
 {{- end }}
diff --git a/postal/values.yaml b/postal/values.yaml
index 6c16ed2..f74461d 100644
--- a/postal/values.yaml
+++ b/postal/values.yaml
@@ -20,6 +20,12 @@ commonsAnnotations: {}
 global:
   # use an existing secret instead of the automaticaly generated one
   existingSecretName: ""
+  # -- key used to sign emails.
+  # Generate it using openssl genrsa -out path/to/signing.key 2048
+  signingKey: ""
+  # -- the secret key used to sign and encrypt cookies and session data in the application.
+  # Generate it using openssl rand -hex 64
+  railsSecretKey: ""
   # The hostname that the Postal web interface runs on
   webHostname: localhost
   # The HTTP protocol to use for the Postal web interface