diff --git a/roles/restic/defaults/main.yml b/roles/restic/defaults/main.yml
index c36c501..849a893 100644
--- a/roles/restic/defaults/main.yml
+++ b/roles/restic/defaults/main.yml
@@ -51,6 +51,11 @@ restic_user: root
 restic_create_user: false
 restic_start_job_on_unit_change: false
 
+restic_base_path: /opt/restic
+resitc_credentials_base_path: "/var/lib/restic/{{ restic_job_name }}/"
+restic_password_file_path: "{{ resitc_credentials_base_path }}/restic-passwd"
+restic_password_file_mode: 0600 #should not be less restrictive
+
 restic_job_name: ~
 restic_job_description: "Restic backup job for {{ restic_job_name }}"
 restic_systemd_unit_naming_scheme: "restic.{{ restic_job_name }}"
diff --git a/roles/restic/tasks/main.yml b/roles/restic/tasks/main.yml
index a4d5eba..17d49b9 100644
--- a/roles/restic/tasks/main.yml
+++ b/roles/restic/tasks/main.yml
@@ -6,6 +6,23 @@
     state: present
     system: true
   when: restic_create_user
+  register: restic_user_res
+
+- name: Ensure base directory for restic is created
+  ansible.builtin.file:
+    path: "{{ restic_base_path }}"
+    state: directory
+    owner: "{{ restic_user_res.uid | default(root) }}"
+    group: "{{ restic_user_res.group | default(root) }}"
+    mode: "0755"
+
+- name: Ensure credentials directory for restic is created
+  ansible.builtin.file:
+    path: "{{ resitc_credentials_base_path }}"
+    state: directory
+    owner: "{{ restic_user_res.uid | default(root) }}"
+    group: "{{ restic_user_res.group | default(root) }}"
+    mode: "0700"
 
 - name: Ensure either backup_paths or backup_stdin_command is populated
   when: restic_backup_paths|length > 0 and restic_backup_stdin_command and false
@@ -42,6 +59,14 @@
         state: present
       when: ansible_os_family not in ['RedHat', 'Debian']
 
+- name: Ensure restic password file is created and uptodate
+  copy:
+    dest: "{{ restic_password_file_path }}"
+    mode: "{{ restic_password_file_mode }}"
+    owner: "{{ restic_user_res.uid | default(root) }}"
+    group: "{{ restic_user_res.group | default(root) }}"
+    content: "{{ restic_repo_password }}"
+
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
   template:
     dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"
diff --git a/roles/restic/templates/restic.service.j2 b/roles/restic/templates/restic.service.j2
index 7169689..a2561fc 100644
--- a/roles/restic/templates/restic.service.j2
+++ b/roles/restic/templates/restic.service.j2
@@ -8,7 +8,7 @@ WorkingDirectory={{ restic_systemd_working_directory }}
 SyslogIdentifier={{ restic_systemd_syslog_identifier }}
 
 Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
-Environment=RESTIC_PASSWORD={{ restic_repo_password }}
+Environment=RESTIC_PASSWORD_FILE={{ restic_password_file_path }}
 {% for kv in restic_complete_environment | dict2items %}
 Environment={{ kv.key }}={{ kv.value }}
 {% endfor %}