diff --git a/secrets-backup/.gitignore b/secrets-backup/.gitignore
new file mode 100644
index 0000000..c4c9c1e
--- /dev/null
+++ b/secrets-backup/.gitignore
@@ -0,0 +1,4 @@
+# Ignore all secrets
+*
+!.gitignore
+!README.md
diff --git a/secrets-backup/README.md b/secrets-backup/README.md
new file mode 100644
index 0000000..66422ea
--- /dev/null
+++ b/secrets-backup/README.md
@@ -0,0 +1,41 @@
+# 🔐 Secrets Backup - AI-Impress
+
+This directory contains exported secrets from HashiCorp Vault.
+
+**⚠️ SECURITY WARNING:**
+- This folder is excluded from Git
+- Files are synced via Syncthing (encrypted)
+- Never commit secrets to version control
+- Keep this folder secure
+
+## Structure
+
+```
+secrets-backup/
+├── vault-export.json           # Full Vault export (JSON)
+├── credentials.md              # Human-readable credentials
+├── services/                   # Per-service credentials
+│   ├── odoo.json
+│   ├── authentik.json
+│   ├── n8n.json
+│   └── ...
+└── last-sync.txt               # Last sync timestamp
+```
+
+## Export Script
+
+Secrets are exported automatically using:
+```bash
+/opt/05-backups/scripts/export-vault-secrets.sh
+```
+
+## Manual Export
+
+```bash
+ssh ubuntu@51.89.231.46
+/opt/05-backups/scripts/export-vault-secrets.sh
+```
+
+## Last Updated
+
+Run `cat last-sync.txt` to see last sync time.