diff --git a/README.md b/README.md
index 7ff12e3..2a5a697 100644
--- a/README.md
+++ b/README.md
@@ -54,7 +54,8 @@ env vars
 * **POSTMOOGLE_TLS_CERT** - path to your SSL certificate (chain)
 * **POSTMOOGLE_TLS_KEY** - path to your SSL certificate's private key
 * **POSTMOOGLE_TLS_REQUIRED** - require TLS connection, **even** on the non-TLS port (`POSTMOOGLE_PORT`). TLS connections are always required on the TLS port (`POSTMOOGLE_TLS_PORT`) regardless of this setting.
-* **POSTMOOGLE_NOENCRYPTION** - disable encryption support
+* **POSTMOOGLE_DATA_SECRET** - secure key (password) to encrypt account data, must be 16, 24, or 32 bytes long
+* **POSTMOOGLE_NOENCRYPTION** - disable matrix encryption (libolm) support
 * **POSTMOOGLE_STATUSMSG** - presence status message
 * **POSTMOOGLE_SENTRY_DSN** - sentry DSN
 * **POSTMOOGLE_LOGLEVEL** - log level
diff --git a/bot/settings_bot.go b/bot/settings_bot.go
index 23e1dfe..94fa98e 100644
--- a/bot/settings_bot.go
+++ b/bot/settings_bot.go
@@ -68,8 +68,7 @@ func (b *Bot) initBotUsers() ([]string, error) {
 }
 
 func (b *Bot) getBotSettings() botSettings {
-	config := botSettings{}
-	err := b.lp.GetAccountData(acBotSettingsKey, &config)
+	config, err := b.lp.GetAccountData(acBotSettingsKey)
 	if err != nil {
 		b.log.Error("cannot get bot settings: %v", utils.UnwrapError(err))
 	}
diff --git a/bot/settings_room.go b/bot/settings_room.go
index 0ca169b..619d70f 100644
--- a/bot/settings_room.go
+++ b/bot/settings_room.go
@@ -88,8 +88,7 @@ func (s roomSettings) ContentOptions() *utils.ContentOptions {
 }
 
 func (b *Bot) getRoomSettings(roomID id.RoomID) (roomSettings, error) {
-	config := roomSettings{}
-	err := b.lp.GetRoomAccountData(roomID, acRoomSettingsKey, &config)
+	config, err := b.lp.GetRoomAccountData(roomID, acRoomSettingsKey)
 	return config, utils.UnwrapError(err)
 }
 
diff --git a/cmd/cmd.go b/cmd/cmd.go
index e176ecc..166c49f 100644
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -70,16 +70,17 @@ func initBot(cfg *config.Config) {
 	}
 	mxlog := logger.New("matrix.", cfg.LogLevel)
 	lp, err := linkpearl.New(&lpcfg.Config{
-		Homeserver:   cfg.Homeserver,
-		Login:        cfg.Login,
-		Password:     cfg.Password,
-		DB:           db,
-		Dialect:      cfg.DB.Dialect,
-		NoEncryption: cfg.NoEncryption,
-		LPLogger:     mxlog,
-		APILogger:    logger.New("api.", cfg.LogLevel),
-		StoreLogger:  logger.New("store.", cfg.LogLevel),
-		CryptoLogger: logger.New("olm.", cfg.LogLevel),
+		Homeserver:        cfg.Homeserver,
+		Login:             cfg.Login,
+		Password:          cfg.Password,
+		DB:                db,
+		Dialect:           cfg.DB.Dialect,
+		NoEncryption:      cfg.NoEncryption,
+		AccountDataSecret: cfg.DataSecret,
+		LPLogger:          mxlog,
+		APILogger:         logger.New("api.", cfg.LogLevel),
+		StoreLogger:       logger.New("store.", cfg.LogLevel),
+		CryptoLogger:      logger.New("olm.", cfg.LogLevel),
 	})
 	if err != nil {
 		// nolint // Fatal = panic, not os.Exit()
diff --git a/config/config.go b/config/config.go
index 68fc369..8130c57 100644
--- a/config/config.go
+++ b/config/config.go
@@ -18,6 +18,7 @@ func New() *Config {
 		Domain:       env.String("domain", defaultConfig.Domain),
 		Port:         env.String("port", defaultConfig.Port),
 		NoEncryption: env.Bool("noencryption"),
+		DataSecret:   env.String("data.secret", defaultConfig.DataSecret),
 		MaxSize:      env.Int("maxsize", defaultConfig.MaxSize),
 		StatusMsg:    env.String("statusmsg", defaultConfig.StatusMsg),
 		Admins:       env.Slice("admins"),
diff --git a/config/types.go b/config/types.go
index 9bf6352..f85cd34 100644
--- a/config/types.go
+++ b/config/types.go
@@ -14,6 +14,8 @@ type Config struct {
 	Port string
 	// RoomID of the admin room
 	LogLevel string
+	// DataSecret is account data secret key (password) to encrypt all account data values
+	DataSecret string
 	// NoEncryption disabled encryption support
 	NoEncryption bool
 	// Prefix for commands
diff --git a/go.mod b/go.mod
index 78fdbf4..29e81c1 100644
--- a/go.mod
+++ b/go.mod
@@ -18,7 +18,7 @@ require (
 	gitlab.com/etke.cc/go/logger v1.1.0
 	gitlab.com/etke.cc/go/mxidwc v1.0.0
 	gitlab.com/etke.cc/go/secgen v1.1.1
-	gitlab.com/etke.cc/linkpearl v0.0.0-20221002130603-2ee25abf8373
+	gitlab.com/etke.cc/linkpearl v0.0.0-20221002171411-bb783f7e50f0
 	golang.org/x/net v0.0.0-20221002022538-bcab6841153b
 	maunium.net/go/mautrix v0.12.1
 )
diff --git a/go.sum b/go.sum
index 98835dd..b0b8a8a 100644
--- a/go.sum
+++ b/go.sum
@@ -95,8 +95,8 @@ gitlab.com/etke.cc/go/mxidwc v1.0.0 h1:6EAlJXvs3nU4RaMegYq6iFlyVvLw7JZYnZmNCGMYQ
 gitlab.com/etke.cc/go/mxidwc v1.0.0/go.mod h1:E/0kh45SAN9+ntTG0cwkAEKdaPxzvxVmnjwivm9nmz8=
 gitlab.com/etke.cc/go/secgen v1.1.1 h1:RmKOki725HIhWJHzPtAc9X4YvBneczndchpMgoDkE8w=
 gitlab.com/etke.cc/go/secgen v1.1.1/go.mod h1:3pJqRGeWApzx7qXjABqz2o2SMCNpKSZao/gXVdasqE8=
-gitlab.com/etke.cc/linkpearl v0.0.0-20221002130603-2ee25abf8373 h1:+lF/qMr9Cz9X579cELiP6Tuma4BHoEBRaoBb198Zi3s=
-gitlab.com/etke.cc/linkpearl v0.0.0-20221002130603-2ee25abf8373/go.mod h1:hjn0SVswej+Jo3+MycLm+lTsAVFy047Df+adX6MoXoE=
+gitlab.com/etke.cc/linkpearl v0.0.0-20221002171411-bb783f7e50f0 h1:B5YV62XKsLb9sCu9jW4Pnc5HDNRzdR1FswtRBMw1sR0=
+gitlab.com/etke.cc/linkpearl v0.0.0-20221002171411-bb783f7e50f0/go.mod h1:hjn0SVswej+Jo3+MycLm+lTsAVFy047Df+adX6MoXoE=
 golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be h1:fmw3UbQh+nxngCAHrDCCztao/kbYFnWjoqop8dHx05A=
 golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=