diff --git a/DEPLOYING.md b/DEPLOYING.md
index fd562dc..18df97b 100644
--- a/DEPLOYING.md
+++ b/DEPLOYING.md
@@ -55,7 +55,6 @@ ENCRYPTION_SECRET_KEY=  # generate: python -c "from cryptography.fernet import F
 
 # PostgreSQL
 POSTGRES_USER=congress
-POSTGRES_PASSWORD=your-strong-password
 POSTGRES_DB=pocketveto
 
 # Redis
@@ -70,6 +69,18 @@ OPENAI_API_KEY=sk-...
 OPENAI_MODEL=gpt-4o-mini
 ```
 
+### Database password (secrets file)
+
+The database password lives in a plain file rather than `.env` so that any characters work with no escaping needed.
+
+```bash
+mkdir -p secrets
+openssl rand -base64 32 | tr -d '+/=' | cut -c1-32 > secrets/db_password
+chmod 600 secrets/db_password
+```
+
+The `secrets/` directory is gitignored. Docker mounts `secrets/db_password` read-only into each container; the backend reads it automatically to build the database URL. Never commit this file.
+
 Other providers (swap in place of the OpenAI block):
 ```env
 # Anthropic
@@ -112,6 +123,8 @@ SMTP_FROM=alerts@yourdomain.com
 docker compose up --build -d
 ```
 
+> **Note:** Make sure `secrets/db_password` exists before running this command (see step 2). Docker Compose will fail to start if the secrets file is missing.
+
 This will:
 1. Pull base images (postgres, redis, nginx, node)
 2. Build the API, worker, beat, and frontend images