diff --git a/config/schema/relaxed.schema.yml b/config/schema/relaxed.schema.yml
index 6568629..d4d370b 100644
--- a/config/schema/relaxed.schema.yml
+++ b/config/schema/relaxed.schema.yml
@@ -5,6 +5,18 @@ relaxed.settings:
     api_root:
       type: string
       label: 'Absolute base path to the API root, without trailing slash.'
+    username:
+      type: string
+      label: 'Replicator username'
+    password:
+      type: string
+      label: 'Replicator password'
+    encrypt:
+      type: integer
+      label: 'Encrypt sensitive data'
+    encrypt_profile:
+      type: string
+      label: 'Encryption profile to use'
 
 relaxed.endpoint.*:
   type: config_entity
diff --git a/relaxed.services.yml b/relaxed.services.yml
index 3d01cf8..2a51473 100644
--- a/relaxed.services.yml
+++ b/relaxed.services.yml
@@ -31,7 +31,7 @@ services:
     arguments: ['@entity_type.manager', '@http_client']
   relaxed.couchdb_replicator:
     class: Drupal\relaxed\CouchdbReplicator
-    arguments: ['@config.factory']
+    arguments: ['@config.factory', '@relaxed.sensitive_data.transformer']
     tags:
       - {name: workspace_replicator, priority: 20}
   relaxed.replicate:
@@ -46,3 +46,6 @@ services:
     tags:
       - { name: event_subscriber }
     arguments: ['@serializer', '@renderer', '@current_route_match']
+  relaxed.sensitive_data.transformer:
+    class: Drupal\relaxed\SensitiveDataTransformer
+    arguments: ['@config.factory']
diff --git a/src/CouchdbReplicator.php b/src/CouchdbReplicator.php
index 83868a5..8b82028 100644
--- a/src/CouchdbReplicator.php
+++ b/src/CouchdbReplicator.php
@@ -6,6 +6,7 @@ use Doctrine\CouchDB\CouchDBClient;
 use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\Url;
 use Drupal\multiversion\Entity\WorkspaceInterface;
+use Drupal\relaxed\SensitiveDataTransformer;
 use Drupal\relaxed\Entity\RemoteInterface;
 use Drupal\replication\Entity\ReplicationLog;
 use Drupal\replication\ReplicationTask\ReplicationTaskInterface;
@@ -18,10 +19,21 @@ use Symfony\Component\Validator\Exception\UnexpectedTypeException;
 
 class CouchdbReplicator implements ReplicatorInterface{
 
+  /**
+   * Relaxed configuration settings.
+   */
   protected $relaxedSettings;
 
-  public function __construct(ConfigFactoryInterface $config_factory) {
+  /**
+   * Relaxed sensitive data transformer service.
+   *
+   * @var Drupal\relaxed\SensitiveDataTransformer
+   */
+  protected $transformer;
+
+  public function __construct(ConfigFactoryInterface $config_factory, SensitiveDataTransformer $transformer) {
     $this->relaxedSettings = $config_factory->get('relaxed.settings');
+    $this->transformer = $transformer;
   }
 
   /**
@@ -40,7 +52,7 @@ class CouchdbReplicator implements ReplicatorInterface{
     if ($task !== NULL && !$task instanceof ReplicationTaskInterface && !$task instanceof RelaxedReplicationTask) {
       throw new UnexpectedTypeException($task, 'Drupal\replication\ReplicationTask\ReplicationTaskInterface or Relaxed\Replicator\ReplicationTask');
     }
-    
+
     $source_db = $this->setupEndpoint($source);
     $target_db = $this->setupEndpoint($target);
 
@@ -116,7 +128,7 @@ class CouchdbReplicator implements ReplicatorInterface{
       $uri = new Uri($url);
       $uri = $uri->withUserInfo(
         $this->relaxedSettings->get('username'),
-        base64_decode($this->relaxedSettings->get('password'))
+        $this->transformer->get($this->relaxedSettings->get('password'))
       );
     }
 
diff --git a/src/Entity/Remote.php b/src/Entity/Remote.php
index ac70808..5947666 100644
--- a/src/Entity/Remote.php
+++ b/src/Entity/Remote.php
@@ -2,8 +2,10 @@
 
 namespace Drupal\relaxed\Entity;
 
+use Drupal\Core\Config\ConfigFactory;
 use Drupal\Core\Config\Entity\ConfigEntityBase;
 use Drupal\Core\Entity\EntityStorageInterface;
+use Drupal\encrypt\Entity\EncryptionProfile;
 use GuzzleHttp\Psr7\Uri;
 
 /**
@@ -73,7 +75,8 @@ class Remote extends ConfigEntityBase implements RemoteInterface {
   protected $uri;
 
   public function uri() {
-    return new Uri(base64_decode($this->uri));
+    $uri = \Drupal::service('relaxed.sensitive_data.transformer')->get($this->uri);
+    return new Uri($uri);
   }
 
   public function withoutUserInfo() {
diff --git a/src/Form/RemoteForm.php b/src/Form/RemoteForm.php
index e7598b4..b7caea3 100644
--- a/src/Form/RemoteForm.php
+++ b/src/Form/RemoteForm.php
@@ -10,8 +10,9 @@ use GuzzleHttp\Psr7\Uri;
  * Class RemoteForm.
  */
 class RemoteForm extends EntityForm {
+
   /**
-   * @inheritDoc
+   * {@inheritdoc}
    */
   public function buildForm(array $form, FormStateInterface $form_state) {
     if (!\Drupal::moduleHandler()->moduleExists('workspace')) {
@@ -86,7 +87,7 @@ class RemoteForm extends EntityForm {
       $form_state->getValue('username'),
       $form_state->getValue('password')
     );
-    $encoded = base64_encode($uri);
+    $encoded = \Drupal::service('relaxed.sensitive_data.transformer')->set($uri);
     $remote->set('uri', $encoded);
     $status = $remote->save();
 
diff --git a/src/Form/SettingsForm.php b/src/Form/SettingsForm.php
index 2dbed13..4e0f728 100644
--- a/src/Form/SettingsForm.php
+++ b/src/Form/SettingsForm.php
@@ -4,6 +4,7 @@ namespace Drupal\relaxed\Form;
 
 use Drupal\Core\Form\ConfigFormBase;
 use Drupal\Core\Form\FormStateInterface;
+use Drupal\Core\Url;
 
 /**
  * Class SettingsForm.
@@ -34,6 +35,11 @@ class SettingsForm extends ConfigFormBase {
   public function buildForm(array $form, FormStateInterface $form_state) {
     $config = $this->config('relaxed.settings');
 
+    $encrypt = \Drupal::service('module_handler')->moduleExists('encrypt');
+    if ($encrypt) {
+      $encrypt_profiles = \Drupal::service('encrypt.encryption_profile.manager')->getEncryptionProfileNamesAsOptions();
+    }
+
     $form['api_root'] = [
       '#type' => 'textfield',
       '#title' => t('API root'),
@@ -64,6 +70,48 @@ class SettingsForm extends ConfigFormBase {
       '#maxlength' => 128,
     ];
 
+    $form['encryption'] = [
+      '#type' => 'details',
+      '#title' => t('Encryption'),
+      '#description' => t('Encrypt all sensitive data using the Encrypt module including passwords and URIs.'),
+      '#open' => $encrypt,
+    ];
+    $form['encryption']['encrypt'] = [
+      '#type' => 'checkbox',
+      '#title' => t('Encrypt all sensitive data'),
+      '#default_value' => $config->get('encrypt'),
+      '#disabled' => !$encrypt || empty($encrypt_profiles),
+    ];
+    if (!empty($encrypt_profiles)) {
+      $form['encryption']['encrypt_profile'] = [
+        '#type' => 'select',
+        '#title' => t('Encryption profile'),
+        '#options' => $encrypt_profiles,
+        '#default_value' => $config->get('encrypt_profile'),
+        '#states' => [
+          'visible' => [
+            ':input[name="encrypt"]' => ['checked' => TRUE],
+          ],
+          'required' => [
+            ':input[name="encrypt"]' => ['checked' => TRUE],
+          ],
+          'disabled' => [
+            ':input[name="encrypt"]' => ['checked' => FALSE],
+          ],
+        ],
+        '#required' => FALSE,
+      ];
+    }
+    elseif ($encrypt) {
+      $args = [
+        '@encryption_profile' => \Drupal::l('encryption profile', Url::fromRoute('entity.encryption_profile.collection')),
+      ];
+      $form['encryption']['help'] = [
+        '#type' => 'item',
+        '#description' => t('An @encryption_profile must be created before encryption can be enabled.', $args),
+      ];
+    }
+
     return parent::buildForm($form, $form_state);
   }
 
@@ -81,12 +129,36 @@ class SettingsForm extends ConfigFormBase {
     $config = $this->config('relaxed.settings');
     $username = $form_state->getValue('username');
     $password = $form_state->getValue('password');
-    if ($username && !($password || $config->get('password'))) {
-      $form_state->setErrorByName('password', 'When setting a username you must set a password.');
-    }
+    $encrypt = $form_state->getValue('encrypt');
+    $encrypt_profile = $form_state->getValue('encrypt_profile');
+
     if (!$username && $password) {
-      $form_state->setErrorByName('username', 'When setting a password you must set a username.');
+      $form_state->setErrorByName('username', 'A username must be entered when setting a password.');
+    }
+    if ($username && !$password) {
+      $form_state->setErrorByName('password', 'A password must be entered when setting a username.');
     }
+
+    if ($encrypt && !$encrypt_profile) {
+      $form_state->setErrorByName('encrypt_profile', 'An encryption profile must be selected when enabling encryption.');
+    }
+
+    // Check if encryption settings have changed.
+    if ($encrypt != $config->get('encrypt') || $encrypt_profile != $config->get('encrypt_profile')) {
+      // Force the credentials to be entered if the encryption settings change.
+      if (!$username) {
+        $form_state->setErrorByName('username', 'Credentials must be entered when changing encryption settings.');
+      }
+      else {
+        // Warn the user when altering encryption settings to update remote
+        // settings.
+        $args = [
+          '@remotes' => \Drupal::l('relaxed remotes', Url::fromRoute('entity.remote.collection')),
+        ];
+        drupal_set_message(t('All @remotes must be updated when altering the encryption settings.', $args), 'warning');
+      }
+    }
+
   }
 
   /**
@@ -95,14 +167,21 @@ class SettingsForm extends ConfigFormBase {
   public function submitForm(array &$form, FormStateInterface $form_state) {
     parent::submitForm($form, $form_state);
 
+    // Get configuration and update it from form.
     $config = $this->config('relaxed.settings');
-    $password = $form_state->getValue('password') ?: base64_decode($config->get('password'));
-
     $config
       ->set('api_root', $form_state->getValue('api_root'))
       ->set('username', $form_state->getValue('username'))
-      ->set('password', base64_encode($password))
+      ->set('encrypt', $form_state->getValue('encrypt'))
+      ->set('encrypt_profile', $form_state->getValue('encrypt_profile'))
       ->save();
+
+    // If a password is entered then update it.
+    $password = $form_state->getValue('password');
+    if ($password) {
+      $password = \Drupal::service('relaxed.sensitive_data.transformer')->set($password);
+      $config->set('password', $password)->save();
+    }
   }
 
 }
diff --git a/src/SensitiveDataTransformer.php b/src/SensitiveDataTransformer.php
new file mode 100644
index 0000000..58d14a5
--- /dev/null
+++ b/src/SensitiveDataTransformer.php
@@ -0,0 +1,101 @@
+<?php
+
+namespace Drupal\relaxed;
+
+use Drupal\Core\Config\ConfigFactoryInterface;
+use Drupal\encrypt\Entity\EncryptionProfile;
+
+/**
+ * Class SensitiveDataTransformer.
+ *
+ * @package Drupal\relaxed
+ */
+class SensitiveDataTransformer {
+
+  /**
+   * Encryption is enabled or not.
+   *
+   * @var bool
+   */
+  protected $encrypt;
+
+  /**
+   * The encryption profile to use.
+   *
+   * @var string
+   */
+  protected $encryptProfile;
+
+  /**
+   * Encryption service.
+   *
+   * @var Drupal\encrypt\EncryptionProfileManagerInterface
+   */
+  protected $encryption;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected $encryptionProfile;
+
+  /**
+   * Constructs an Encrypt object.
+   *
+   * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
+   *   A config factory for retrieving required config objects.
+   */
+  public function __construct(ConfigFactoryInterface $config_factory) {
+    $settings = $config_factory->get('relaxed.settings');
+    $this->encrypt = $settings->get('encrypt');
+    $this->encryptProfile = $settings->get('encrypt_profile');
+    if ($this->encrypt && $this->encryptProfile) {
+      $this->setEncryption();
+    }
+  }
+
+  /**
+   * Sets up encryption if needed.
+   */
+  public function setEncryption() {
+    // Load the encryption profile if available.
+    $this->encryption = \Drupal::service('encryption');
+    $this->encryptionProfile = EncryptionProfile::load($this->encryptProfile);
+  }
+
+  /**
+   * Gets a value.
+   *
+   * @param string $value
+   *   The value to transform.
+   *
+   * @return string
+   *   The transformed value depending on the settings.
+   */
+  public function get($value) {
+    $value = base64_decode($value);
+
+    if ($this->encrypt) {
+      $value = $this->encryption->decrypt($value, $this->encryptionProfile);
+    }
+
+    return $value;
+  }
+
+  /**
+   * Sets a value.
+   *
+   * @param string $value
+   *   The value to transform.
+   *
+   * @return string
+   *   The transformed value depending on the settings.
+   */
+  public function set($value) {
+    if ($this->encrypt) {
+      $value = $this->encryption->encrypt($value, $this->encryptionProfile);
+    }
+
+    return base64_encode($value);
+  }
+
+}
diff --git a/tests/src/Functional/RelaxedEncryptTest.php b/tests/src/Functional/RelaxedEncryptTest.php
new file mode 100644
index 0000000..979292d
--- /dev/null
+++ b/tests/src/Functional/RelaxedEncryptTest.php
@@ -0,0 +1,78 @@
+<?php
+
+namespace Drupal\Tests\relaxed\Functional;
+
+use Drupal\encrypt\Entity\EncryptionProfile;
+use Drupal\key\Entity\Key;
+use Drupal\Tests\BrowserTestBase;
+
+/**
+ * @group relaxed
+ */
+class RelaxedEncryptTest extends BrowserTestBase {
+
+  /**
+   * Modules to enable for this test.
+   *
+   * @var string[]
+   */
+  public static $modules = [
+    'key',
+    'encrypt',
+    'encrypt_test',
+    'relaxed',
+    'replication',
+    'multiversion',
+    'key_value',
+    'serialization',
+    'rest',
+    'basic_auth'
+  ];
+
+  /**
+   * Tests encrypt integration.
+   */
+  public function testEncryptIntegration() {
+    // Create a 256bit testkey.
+    $key_256 = Key::create([
+      'id' => 'testing_key_256',
+      'label' => 'Testing Key 256 bit',
+      'key_type' => "encryption",
+      'key_type_settings' => ['key_size' => '256'],
+      'key_provider' => 'config',
+      'key_provider_settings' => ['key_value' => 'mustbesixteenbitmustbesixteenbit'],
+    ]);
+    $key_256->save();
+
+    // Create an Encrption Profile.
+    $encryption_profile = EncryptionProfile::create([
+      'id' => 'encryption_profile',
+      'label' => 'Encryption profile',
+      'encryption_method' => 'test_encryption_method',
+      'encryption_key' => 'testing_key_256',
+    ]);
+    $encryption_profile->save();
+
+    // Login as root.
+    $this->drupalLogin($this->rootUser);
+
+    // Add a replication username and password, enable encryption and set
+    // encryption profile.
+    $this->drupalGet('/admin/config/relaxed/settings');
+    $page = $this->getSession()->getPage();
+    $page->fillField('edit-username', 'replication_user');
+    $page->fillField('edit-password', 'replication_password');
+    $page->checkField('edit-encrypt');
+    $page->selectFieldOption('edit-encrypt-profile', 'encryption_profile');
+    $page->pressButton('Save configuration');
+    $this->assertSession()->pageTextContains('The configuration options have been saved.');
+
+    $config = \Drupal::config('relaxed.settings');
+    $transformer = \Drupal::service('relaxed.sensitive_data.transformer');
+    // Make sure the password is not stored in plain text.
+    $this->assertNotEquals('replication_password', $config->get('password'));
+    // Make sure the decrypted password matches the one entered.
+    $this->assertEquals('replication_password', $transformer->get($config->get('password')));
+  }
+
+}
