diff --git a/otc/dev.t09.de/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml b/otc/dev.t09.de/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml
index aafcf84..5ea260d 100644
--- a/otc/dev.t09.de/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml
+++ b/otc/dev.t09.de/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml
@@ -29,17 +29,6 @@ roleRef:
   name: secrets-backup-reader
   apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: secrets-backup-config
-  namespace: gitea
-type: Opaque
-stringData:
-  # IMPORTANT: Replace this placeholder with a strong passphrase per environment.
-  # This secret should be managed via external-secrets or manually set after initial deploy.
-  encryption-passphrase: "CHANGE-ME-SET-PER-ENVIRONMENT"
----
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -61,7 +50,7 @@ spec:
           serviceAccountName: secrets-backup
           containers:
             - name: secrets-backup
-              image: alpine/k8s:1.32.0
+              image: edp.buildth.ing/devfw-cicd/secrets-backup:1.0.1
               imagePullPolicy: IfNotPresent
               env:
                 - name: AWS_ACCESS_KEY_ID
@@ -74,11 +63,6 @@ spec:
                     secretKeyRef:
                       name: forgejo-cloud-credentials
                       key: secret-key
-                - name: ENCRYPTION_PASSPHRASE
-                  valueFrom:
-                    secretKeyRef:
-                      name: secrets-backup-config
-                      key: encryption-passphrase
                 - name: SOURCE_BUCKET
                   valueFrom:
                     secretKeyRef:
@@ -92,9 +76,6 @@ spec:
                 - |
                   set -euo pipefail
 
-                  # Ensure openssl is available (not bundled in alpine/k8s image)
-                  apk add --no-cache openssl --quiet
-
                   TIMESTAMP=$(date +%Y%m%d-%H%M%S)
                   BACKUP_DIR="/tmp/secrets-backup-${TIMESTAMP}"
                   NAMESPACES="argocd cert-manager external-secrets"
@@ -110,20 +91,14 @@ spec:
                       > "${BACKUP_DIR}/${NS}-secrets.json"
                   done
 
-                  echo "=== Encrypting backup with AES-256-CBC ==="
+                  echo "=== Creating compressed archive ==="
                   ARCHIVE="${BACKUP_DIR}/secrets-backup-${TIMESTAMP}.tar.gz"
                   tar -czf "${ARCHIVE}" -C "${BACKUP_DIR}" \
                     $(ls "${BACKUP_DIR}"/*.json 2>/dev/null | xargs -n1 basename)
 
-                  ENCRYPTED="${BACKUP_DIR}/secrets-backup-${TIMESTAMP}.tar.gz.enc"
-                  openssl enc -aes-256-cbc -salt -pbkdf2 -iter 100000 \
-                    -in "${ARCHIVE}" \
-                    -out "${ENCRYPTED}" \
-                    -pass env:ENCRYPTION_PASSPHRASE
-
-                  echo "=== Uploading to OBS ==="
-                  aws s3 cp "${ENCRYPTED}" \
-                    "s3://${SOURCE_BUCKET}/cluster-secrets-backup/${TIMESTAMP}/secrets-backup.tar.gz.enc" \
+                  echo "=== Uploading to OBS (SSE-KMS encryption at rest) ==="
+                  aws s3 cp "${ARCHIVE}" \
+                    "s3://${SOURCE_BUCKET}/cluster-secrets-backup/${TIMESTAMP}/secrets-backup.tar.gz" \
                     --endpoint-url "https://${OBS_ENDPOINT}"
 
                   echo "=== Cleanup ==="