diff --git a/internal/configuration/sources/files/reader.go b/internal/configuration/sources/files/reader.go
index c5042963..1809f4dc 100644
--- a/internal/configuration/sources/files/reader.go
+++ b/internal/configuration/sources/files/reader.go
@@ -51,7 +51,7 @@ func (s *Source) Get(key string) (value string, isSet bool) {
 	// Special file handling
 	switch key {
 	// TODO timezone from /etc/localtime
-	case "client.crt", "client.key":
+	case "client.crt", "client.key", "openvpn_encrypted_key":
 		value, isSet, err := ReadPEMFile(path)
 		if err != nil {
 			s.warner.Warnf("skipping %s: parsing PEM: %s", path, err)
@@ -85,6 +85,8 @@ func (s *Source) KeyTransform(key string) string {
 		return "client.key"
 	case "OPENVPN_CERT":
 		return "client.crt"
+	case "OPENVPN_ENCRYPTED_KEY":
+		return "openvpn_encrypted_key"
 	default:
 		key = strings.ToLower(key) // HTTPROXY_USER -> httpproxy_user
 		return key
diff --git a/internal/configuration/sources/secrets/reader.go b/internal/configuration/sources/secrets/reader.go
index 9459aa86..59bc07cb 100644
--- a/internal/configuration/sources/secrets/reader.go
+++ b/internal/configuration/sources/secrets/reader.go
@@ -54,7 +54,7 @@ func (s *Source) Get(key string) (value string, isSet bool) {
 	// Special file parsing
 	switch key {
 	// TODO timezone from /etc/localtime
-	case "openvpn_clientcrt", "openvpn_clientkey":
+	case "openvpn_clientcrt", "openvpn_clientkey", "openvpn_encrypted_key":
 		value, isSet, err := files.ReadPEMFile(path)
 		if err != nil {
 			s.warner.Warnf("skipping %s: parsing PEM: %s", path, err)
@@ -97,6 +97,8 @@ func (s *Source) KeyTransform(key string) string {
 		return "openvpn_clientkey"
 	case "OPENVPN_CERT":
 		return "openvpn_clientcrt"
+	case "OPENVPN_ENCRYPTED_KEY":
+		return "openvpn_encrypted_key"
 	default:
 		key = strings.ToLower(key) // HTTPROXY_USER -> httpproxy_user
 		return key