diff --git a/service/files/ca.pem.j2 b/service/files/ca.pem.j2
new file mode 100644
index 0000000..d52069b
--- /dev/null
+++ b/service/files/ca.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 1af9da4..c35a01e 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -15,6 +15,8 @@ configs:
       node: null
     port:
       cont: 3306
+    tls:
+      enabled: false
 url:
   percona:
     debian:
diff --git a/service/files/my.cnf.j2 b/service/files/my.cnf.j2
index 4dc5e4e..276742d 100644
--- a/service/files/my.cnf.j2
+++ b/service/files/my.cnf.j2
@@ -31,4 +31,16 @@ wsrep_provider = /usr/lib/galera3/libgalera_smm.so
 wsrep_cluster_name = {{ percona.cluster_name }}
 wsrep_sst_method = xtrabackup-v2
 wsrep_sst_auth = "xtrabackup:{{ percona.xtrabackup_password }}"
-wsrep_provider_options = "gcache.size={{ percona.gcache_size }};gcache.recover=yes"
+wsrep_provider_options = "gcache.size={{ percona.gcache_size }};gcache.recover=yes{% if percona.tls.enabled and security.tls.enabled %},socket.ssl=yes;socket.ssl_key=/etc/mysql/certs/server-key.pem;socket.ssl_cert=/etc/mysql/certs/server-cert.pem;socket.ssl_ca=/etc/mysql/certs/ca.pem"{% endif %}
+
+{% if percona.tls.enabled and security.tls.enabled %}
+ssl-ca = /etc/mysql/certs/ca.pem
+ssl-cert = /etc/mysql/certs/server-cert.pem
+ssl-key = /etc/mysql/certs/server-key.pem
+
+[sst]
+encrypt = 4
+ssl-ca = /etc/mysql/certs/ca.pem
+ssl-cert = /etc/mysql/certs/server-cert.pem
+ssl-key = /etc/mysql/certs/server-key.pem
+{% endif %}
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_key }}
diff --git a/service/galera.yaml b/service/galera.yaml
index a898206..b6a9b4b 100644
--- a/service/galera.yaml
+++ b/service/galera.yaml
@@ -63,6 +63,11 @@ service:
           - entrypoint
           - mycnf
           - galera-checker
+          # {% if percona.tls.enabled %}
+          - ca.pem
+          - server-key.pem
+          - server-cert.pem
+          # {% endif %}
         dependencies:
           - etcd
         command: /opt/ccp/bin/entrypoint.py
@@ -86,3 +91,17 @@ files:
     path: /opt/ccp/bin/haproxy_entrypoint.py
     content: haproxy_entrypoint.py
     perm: "0755"
+# {% if percona.tls.enabled %}
+  ca.pem:
+    path: /etc/mysql/certs/ca.pem
+    content: ca.pem.j2
+    perm: "0400"
+  server-key.pem:
+    path: /etc/mysql/certs/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  server-cert.pem:
+    path: /etc/mysql/certs/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+# {% endif %}