diff --git a/.env.default b/.env.default
new file mode 100644
index 0000000..a3727e9
--- /dev/null
+++ b/.env.default
@@ -0,0 +1,56 @@
+; this is an string containing the supported RSA privated keys for encryption and decryption, the LAST RSA private key
+; within the string is used to encrypt new secrets while all RSA private keys are used to decrypt secrets, this allows
+; for smooth key rollovers; for share-only instances it is sufficient to set the RSA public key of the corresponding
+; read-only instance here
+RSA_PRIVATE_KEYS="-----BEGIN RSA PRIVATE KEY-----
+                 ...
+                 ...
+                 ...
+                 -----END RSA PRIVATE KEY-----
+                 -----BEGIN PUBLIC KEY-----
+                 ...
+                 ...
+                 ...
+                 -----END PUBLIC KEY-----"
+
+; this is the title of the service, it is shown in header of all pages
+SERVICE_TITLE="Shared-Secrets"
+
+; this is the full path to the secret sharing service, the encrypted secret will be appended to this string
+SECRET_SHARING_URL="https://localhost.local/"
+
+; this is the text of the imprint link
+IMPRINT_TEXT=
+
+; this is the URL the imprint link shall forward to
+IMPRINT_URL="https://localhost.local/"
+
+; this is the MySQL configuration, do not forget to create the corresponding database and the following table:
+; > CREATE TABLE secrets ( keyid VARCHAR(64), fingerprint VARCHAR(64), time TIMESTAMP, PRIMARY KEY (keyid, fingerprint) );
+MYSQL_HOST="localhost"
+MYSQL_PORT="3306"
+MYSQL_USER="<SET THE MYSQL USER!!!>"
+MYSQL_PASS="<SET THE MYSQL PASSWORD!!!>"
+MYSQL_DB="<SET THE MYSQL DATABASE!!!>"
+
+; this enables or disables the debug mode of the instance
+DEBUG_MODE="false"
+
+; this is the default timezone for the execution of the script
+DEFAULT_TIMEZONE="Europe/Berlin"
+
+; this enables or disables the read-only mode of the instance,
+; by using the read-only mode you need another instance to create secret sharing links,
+; this separation can be useful if you only want to be internally able to create links
+READ_ONLY="false"
+
+; this enables or disables the share-only mode of the instance,
+; by using the share-only mode you need another instance to read secret sharing links,
+; this separation can be useful if you only want to be internally able to create links
+SHARE_ONLY="false"
+
+; this enables or disables the jumbo secret support,
+; jumbo secrets can be up to 16384 bytes (16kb) in size,
+; jumbo secret sharing links that exceed 2048 bytes (2k) in size will most likely be incompatible with older Internet Explorer versions
+JUMBO_SECRETS="false"
+
diff --git a/.gitignore b/.gitignore
index a8ed72b..d25e5b6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 # do not publish live config file
+.env
 config/*
 !config/config.php.default
 
diff --git a/.htaccess b/.htaccess
index 8a2b6d9..60537fc 100644
--- a/.htaccess
+++ b/.htaccess
@@ -3,6 +3,8 @@
   RewriteBase   /
 
   # prevent access to certain locations
+  RewriteRule ^\.env$           - [R=404,L]
+  RewriteRule ^\.env\.default$  - [R=404,L]
   RewriteRule ^\.git(\/.*)?$    - [R=404,L]
   RewriteRule ^\.gitattributes$ - [R=404,L]
   RewriteRule ^\.gitignore$     - [R=404,L]
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac4558f..c705edb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# 0.29b0 (2021-12-14)
+
+* introduce support for configuration via environment variables
+* introduce support for configuration via .env file
+* updated README to document environment variables
+
 # 0.28b0 (2021-06-07)
 
 * updated jQuery to version 3.6.0
diff --git a/README.md b/README.md
index 9e9e80a..ef8a713 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,8 @@ server {
   add_header X-XSS-Protection          "1; mode=block";
 
   # prevent access to certain locations
+  location ~ ^\/\.env$           { return 404; }
+  location ~ ^\/\.env\.default$  { return 404; }
   location ~ ^\/\.git(\/.*)?$    { return 404; }
   location ~ ^\/\.gitattributes$ { return 404; }
   location ~ ^\/\.gitignore$     { return 404; }
@@ -187,7 +189,17 @@ openssl genrsa -out ./rsa.key 2048
 
 ### Service Setup
 
-Copy the `config/config.php.default` file to `config/config.php` and set the necessary configuration items.
+#### Configuration via config.php
+
+Copy the `config/config.php.default` file to `config/config.php` and set the necessary configuration values. When a `config/config.php` file exists then it is used as the **only** configuration source for the entire Shared-Secrets instance.
+
+#### Configuration via .env
+
+Copy the `.env.default` file to `.env` and set the necessary configuration values. When a `config/config.php` file exists then the configuration values in the `.env` file will **not** be used. Configuration values in the `.env` file can be overwritten by setting environment variables.
+
+#### Configuration via environment variables
+
+Configuration values can also be set by defining corresponding environment variables. When a `config/config.php` file exists then the configuration values set via environment variables will **not** be used. Configuration values in the `.env` file can be overwritten by setting environment variables.
 
 ### Read-Only and Share-Only Instances
 
diff --git a/config/config.php.default b/config/config.php.default
index 4913b52..02a85a2 100644
--- a/config/config.php.default
+++ b/config/config.php.default
@@ -27,11 +27,11 @@
 
   # this is the MySQL configuration, do not forget to create the corresponding database and the following table:
   # > CREATE TABLE secrets ( keyid VARCHAR(64), fingerprint VARCHAR(64), time TIMESTAMP, PRIMARY KEY (keyid, fingerprint) );
-  define("MYSQL_HOST",   "localhost");
-  define("MYSQL_PORT",   3306);
-  define("MYSQL_USER",   "<SET THE MYSQL USER!!!>");
-  define("MYSQL_PASS",   "<SET THE MYSQL PASSWORD!!!>");
-  define("MYSQL_DB",     "<SET THE MYSQL DATABASE!!!>");
+  define("MYSQL_HOST", "localhost");
+  define("MYSQL_PORT", 3306);
+  define("MYSQL_USER", "<SET THE MYSQL USER!!!>");
+  define("MYSQL_PASS", "<SET THE MYSQL PASSWORD!!!>");
+  define("MYSQL_DB",   "<SET THE MYSQL DATABASE!!!>");
 
   # this enables or disables the debug mode of the instance
   define("DEBUG_MODE", false);
diff --git a/index.php b/index.php
index 4725f2f..dd64ca8 100644
--- a/index.php
+++ b/index.php
@@ -1,6 +1,6 @@
 <?php
 
-  # Shared-Secrets v0.28b0
+  # Shared-Secrets v0.29b0
   #
   # Copyright (c) 2016-2021, SysEleven GmbH
   # All rights reserved.
@@ -25,7 +25,13 @@
   define("ROOT_DIR", __DIR__);
 
   # include required configuration
-  require_once(ROOT_DIR."/config/config.php");
+  if (is_file(ROOT_DIR."/config/config.php")) {
+    # if there is a config file then we use that
+    require_once(ROOT_DIR."/config/config.php");
+  } else {
+    # otherwise we define the config through environment variables
+    require_once(ROOT_DIR."/lib/shared-secrets.env.php");
+  }
 
   # include required defines
   require_once(ROOT_DIR."/lib/shared-secrets.def.php");
diff --git a/lib/shared-secrets.env.php b/lib/shared-secrets.env.php
new file mode 100644
index 0000000..2bf72a7
--- /dev/null
+++ b/lib/shared-secrets.env.php
@@ -0,0 +1,107 @@
+<?php
+
+  # prevent direct access
+  if (!defined("SYS11_SECRETS")) { die(""); }
+
+  function env($name, $default = null) {
+    $result = getenv($name);
+
+    # set the default if the environment variable isn't set
+    if (false === $result) {
+      $result = $default;
+    }
+
+    return $result;
+  }
+
+  function checkbool($string) {
+    return filter_var($string, FILTER_VALIDATE_BOOLEAN);
+  }
+
+  function load_dot_env($filename) {
+    # read the .env file
+    $dotenv = parse_ini_file($filename);
+    if (false !== $dotenv) {
+      foreach ($dotenv as $key => $value) {
+        # only set environment variables that are not already set
+        if (false === getenv($key)) {
+          putenv($key."=".$value);
+        }
+      }
+    }
+  }
+
+  function split_rsa_keys($string) {
+    $result = [];
+
+    if (false !== preg_match_all("@(?<rsakeys>-----BEGIN (?:RSA )?(?:PRIVATE|PUBLIC) KEY-----(?:.+?)-----END (?:RSA )?(?:PRIVATE|PUBLIC) KEY-----)@is",
+                                 $string, $matches)) {
+      if (array_key_exists("rsakeys", $matches)) {
+        # cleanup strings
+        foreach ($matches["rsakeys"] as $match_key => $match_value) {
+          $lines = explode("\n", $match_value);
+          foreach ($lines as $line_key => $line_value) {
+            $lines[$line_key] = trim($line_value);
+          }
+          $matches["rsakeys"][$match_key] = implode("\n", $lines);
+        }
+
+        $result = $matches["rsakeys"];
+      }
+    }
+
+    return $result;
+  }
+
+  # load a .env file if it exists
+  if (is_file(ROOT_DIR."/.env")) {
+    load_dot_env(ROOT_DIR."/.env");
+  }
+
+  # this is an array containing the supported RSA privated keys for encryption and decryption, the LAST RSA private key
+  # within the array is used to encrypt new secrets while all RSA private keys are used to decrypt secrets, this allows
+  # for smooth key rollovers; for share-only instances it is sufficient to set the RSA public key of the corresponding
+  # read-only instance here
+  define("RSA_PRIVATE_KEYS", split_rsa_keys(env("RSA_PRIVATE_KEYS", null)));
+
+  # this is the title of the service, it is shown in header of all pages
+  define("SERVICE_TITLE", env("SERVICE_TITLE", "Shared-Secrets"));
+
+  # this is the full path to the secret sharing service, the encrypted secret will be appended to this string
+  define("SECRET_SHARING_URL", env("SECRET_SHARING_URL", "https://localhost.local/"));
+
+  # this is the text of the imprint link
+  define("IMPRINT_TEXT", env("IMPRINT_TEXT", null));
+
+  # this is the URL the imprint link shall forward to
+  define("IMPRINT_URL", env("IMPRINT_URL", "https://localhost.local/"));
+
+  # this is the MySQL configuration, do not forget to create the corresponding database and the following table:
+  # > CREATE TABLE secrets ( keyid VARCHAR(64), fingerprint VARCHAR(64), time TIMESTAMP, PRIMARY KEY (keyid, fingerprint) );
+  define("MYSQL_HOST", env("MYSQL_HOST", "localhost"));
+  define("MYSQL_PORT", intval(env("MYSQL_PORT", 3306)));
+  define("MYSQL_USER", env("MYSQL_USER", null));
+  define("MYSQL_PASS", env("MYSQL_PASS", null));
+  define("MYSQL_DB",   env("MYSQL_DB",   null));
+
+  # this enables or disables the debug mode of the instance
+  define("DEBUG_MODE", checkbool(env("DEBUG_MODE", false)));
+
+  # this is the default timezone for the execution of the script
+  define("DEFAULT_TIMEZONE", env("DEFAULT_TIMEZONE", "Europe/Berlin"));
+
+  # this enables or disables the read-only mode of the instance,
+  # by using the read-only mode you need another instance to create secret sharing links,
+  # this separation can be useful if you only want to be internally able to create links
+  define("READ_ONLY", checkbool(env("READ_ONLY", false)));
+
+  # this enables or disables the share-only mode of the instance,
+  # by using the share-only mode you need another instance to read secret sharing links,
+  # this separation can be useful if you only want to be internally able to create links
+  define("SHARE_ONLY", checkbool(env("SHARE_ONLY", false)));
+
+  # this enables or disables the jumbo secret support,
+  # jumbo secrets can be up to 16384 bytes (16kb) in size,
+  # jumbo secret sharing links that exceed 2048 bytes (2k) in size will most likely be incompatible with older Internet Explorer versions
+  define("JUMBO_SECRETS", checkbool(env("JUMBO_SECRETS", false)));
+