diff --git a/docs/v1.X/docs/references/crowdsec-config.md b/docs/v1.X/docs/references/crowdsec-config.md
index e569a1f5e..95a752954 100644
--- a/docs/v1.X/docs/references/crowdsec-config.md
+++ b/docs/v1.X/docs/references/crowdsec-config.md
@@ -4,6 +4,7 @@
 
 ## Configuration example
 
+
 <details>
   <summary>Default configuration</summary>
 
@@ -63,6 +64,30 @@ prometheus:
 
 </details>
 
+## Environment variable
+
+It is possible to set a configuration value based on an enrivonement variables.
+
+For example, if you don't want to store your database password in the configuration file, you can do this:
+
+```yaml
+db_config:
+  type:     mysql
+  user:     database_user
+  password: ${DB_PASSWORD}  
+  db_name:  db_name
+  host:     192.168.0.2   
+  port:     3306 
+```
+
+And export the environment variable such as:
+
+```bash
+export DB_PASSWORD="<db_password>"
+```
+
+!!! warning 
+    **Note**: you need to be `root` or put the environment variable in `/etc/environement`
 
 ## Configuration format
 
diff --git a/pkg/csconfig/config.go b/pkg/csconfig/config.go
index 433783d5d..084067ac4 100644
--- a/pkg/csconfig/config.go
+++ b/pkg/csconfig/config.go
@@ -3,6 +3,7 @@ package csconfig
 import (
 	"fmt"
 	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -40,7 +41,8 @@ func (c *GlobalConfig) LoadConfigurationFile(path string) error {
 	if err != nil {
 		return errors.Wrap(err, "failed to read config file")
 	}
-	err = yaml.UnmarshalStrict(fcontent, c)
+	configData := os.ExpandEnv(string(fcontent))
+	err = yaml.UnmarshalStrict([]byte(configData), c)
 	if err != nil {
 		return errors.Wrap(err, "failed unmarshaling config")
 	}