diff --git a/commands/management/add_mongodb.go b/commands/management/add_mongodb.go
index 6eeb2bd0..cfa9d226 100644
--- a/commands/management/add_mongodb.go
+++ b/commands/management/add_mongodb.go
@@ -16,7 +16,10 @@
 package management
 
 import (
+	"context"
 	"fmt"
+	"github.com/percona/pmm-admin/utils/encryption"
+	"github.com/sirupsen/logrus"
 	"os"
 	"strings"
 
@@ -112,6 +115,10 @@ func (cmd *addMongoDBCommand) GetCredentials() error {
 }
 
 func (cmd *addMongoDBCommand) Run() (commands.Result, error) {
+	return cmd.RunWithContext(context.TODO())
+}
+
+func (cmd *addMongoDBCommand) RunWithContext(ctx context.Context) (commands.Result, error) {
 	customLabels, err := commands.ParseCustomLabels(cmd.CustomLabels)
 	if err != nil {
 		return nil, err
@@ -150,6 +157,13 @@ func (cmd *addMongoDBCommand) Run() (commands.Result, error) {
 		}
 	}
 
+	encryptor := encryption.GetEncryptor(ctx)
+	password, err := encryptor.EncryptAsBlock(cmd.Password)
+	if err != nil {
+		logrus.Warnf("Failed to encrypt password: %s", err)
+		password = cmd.Password
+	}
+
 	params := &mongodb.AddMongoDBParams{
 		Body: mongodb.AddMongoDBBody{
 			NodeID:         cmd.NodeID,
@@ -162,7 +176,7 @@ func (cmd *addMongoDBCommand) Run() (commands.Result, error) {
 			Cluster:        cmd.Cluster,
 			ReplicationSet: cmd.ReplicationSet,
 			Username:       cmd.Username,
-			Password:       cmd.Password,
+			Password:       password,
 			AgentPassword:  cmd.AgentPassword,
 
 			QANMongodbProfiler: cmd.QuerySource == mongodbQuerySourceProfiler,
diff --git a/go.mod b/go.mod
index ed705566..a838dbb5 100644
--- a/go.mod
+++ b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/AlekSi/pointer v1.2.0
 	github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d
 	github.com/go-openapi/runtime v0.24.0
-	github.com/percona/pmm v0.0.0-20220520150831-23069cdf1bb8
+	github.com/percona/pmm v0.0.0-20220523024928-d94947734674
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.1
diff --git a/go.sum b/go.sum
index d06ecef8..ab732119 100644
--- a/go.sum
+++ b/go.sum
@@ -113,8 +113,8 @@ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
-github.com/percona/pmm v0.0.0-20220520150831-23069cdf1bb8 h1:P5iuV4GRUIviRg/5/FM6ZOKdiBPdwUPbrHld/epM3hk=
-github.com/percona/pmm v0.0.0-20220520150831-23069cdf1bb8/go.mod h1:gr+WLd8clEAe2xMFgsGhpw9ziZc2UCWcfy6d3M6Aq00=
+github.com/percona/pmm v0.0.0-20220523024928-d94947734674 h1:KWXwcENaXzZ7ep9zboSk6YnRrLM/O85+ptGQdlBQEJQ=
+github.com/percona/pmm v0.0.0-20220523024928-d94947734674/go.mod h1:gr+WLd8clEAe2xMFgsGhpw9ziZc2UCWcfy6d3M6Aq00=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
diff --git a/main.go b/main.go
index e80f2b83..bd75e385 100644
--- a/main.go
+++ b/main.go
@@ -19,6 +19,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"github.com/percona/pmm-admin/utils/encryption"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -60,6 +61,7 @@ func main() {
 		return nil
 	}).Bool()
 
+	kingpin.CommandLine.DefaultEnvars()
 	cmd := kingpin.Parse()
 
 	logrus.SetFormatter(new(logger.TextFormatter)) // with levels and timestamps for debug and trace
@@ -75,6 +77,10 @@ func main() {
 	}
 
 	ctx, cancel := context.WithCancel(context.Background())
+	ctx, errEnc := encryption.InjectEncryptorIfNotPresent(ctx)
+	if errEnc != nil {
+		logrus.Panicf("Failed to inject encryptor: %v", errEnc)
+	}
 
 	// handle termination signals
 	signals := make(chan os.Signal, 1)
diff --git a/utils/encryption/default-key.pub b/utils/encryption/default-key.pub
new file mode 100644
index 00000000..999a29ef
--- /dev/null
+++ b/utils/encryption/default-key.pub
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmsIPAv+mDTBX4kAVFeon
+wLHcXOjzu/hgca1f4bCgsyTvoUdcg7EAIlpfv14nCQ+1zUXI3h0iWH/ZJsHNb7Wy
+NYZZpkCIrWk9XUuPbzijazjLvBaMzyVLb8zQFESvuKumSOZ+WizvuHL2MGaJqLYI
+2eVLDKX3TVeJCe8HK8KA6XUau28tNDEymf/Hyk7BQAINkQTnwIWIX+lzeGI+eMzT
+uptDIf3OCvoe/a1qp0RP7jQ8bU2fj6SUB0Ts3FElqTsGZczP6zag20CR0hSzlqNI
+785Mcv3tRxszwu+rET9CVyjRG9Y6X9TqPODbuM1n6aKla1X9Wkt386Li0TgXtF/S
+tJA/BK7JrPrSRz+vKakhqqcmudPA5NeqdjC92jdxmtLObVm4L/OF0FwRYAEeYRVi
+CZNTo8DwEjecYHy+FNutGxvOP/p15ip3YG6IHGp1kPoGdxwzAJQK957ZVqQUJCAC
+M2lcNPEQ+muYRTMHLYuNMyVVW+OOdTFrFxUK/xisYhb7tJoN/aZUrww7KVDVD6AD
+HImr1TL7hE9r/ko3e/0TQN8D+fgLPpKLyaguuLI2HyRalzFWuQSEWUOz/2IQ76kR
+glL2yQVAOh8oG8sX6xXY1fFpfpvZd4VCWdWOQfW2tBqOKpcMgmkgxKctMUeHhhgx
+GFI7b65SXK9uPB3Rs6EXbd8CAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/utils/encryption/encryption.go b/utils/encryption/encryption.go
new file mode 100644
index 00000000..6ec784a3
--- /dev/null
+++ b/utils/encryption/encryption.go
@@ -0,0 +1,33 @@
+package encryption
+
+import (
+	"context"
+	_ "embed"
+	"github.com/percona/pmm/utils/rsa_encryptor"
+)
+
+//go:embed default-key.pub
+var publicKey []byte
+
+const EncryptorKey = "encryptor"
+
+func NewFromDefaultKey() (*rsa_encryptor.Service, error) {
+	return rsa_encryptor.NewFromPublicKey("d1", publicKey)
+}
+
+func InjectEncryptorIfNotPresent(ctx context.Context) (context.Context, error) {
+	encryptor := ctx.Value(EncryptorKey)
+	if encryptor == nil {
+		encryptor, err := NewFromDefaultKey()
+		if err != nil {
+			return nil, err
+		}
+		return context.WithValue(ctx, EncryptorKey, encryptor), nil
+	}
+
+	return ctx, nil
+}
+
+func GetEncryptor(ctx context.Context) *rsa_encryptor.Service {
+	return ctx.Value(EncryptorKey).(*rsa_encryptor.Service)
+}