diff --git a/osm_ee/frontend_server.py b/osm_ee/frontend_server.py
index 079503d1e9e50f6408e83df933f6e566810ec2b9..32b3afe279db973153cfc6802f6cbd2784bb2676 100644
--- a/osm_ee/frontend_server.py
+++ b/osm_ee/frontend_server.py
@@ -33,6 +33,7 @@ from osm_ee.frontend_pb2 import SshKeyRequest, SshKeyReply
 
 from osm_ee.base_ee import BaseEE
 import osm_ee.util.util_ee as util_ee
+import osm_ee.util.util_grpc as util_grpc
 
 
 class FrontendExecutor(FrontendExecutorBase):
@@ -75,7 +76,7 @@ async def main(*, host: str = '0.0.0.0', port: int = 50051) -> None:
     # Start server
     server = Server([FrontendExecutor()])
     with graceful_exit([server]):
-        await server.start(host, port)
+        await server.start(host, port, ssl=util_grpc.create_secure_context())
         logging.getLogger('osm_ee.frontend_server').debug(f'Serving on {host}:{port}')
         await server.wait_closed()
 
diff --git a/osm_ee/util/util_grpc.py b/osm_ee/util/util_grpc.py
new file mode 100644
index 0000000000000000000000000000000000000000..df904c1a2104693f0db6f5954c0775b69b2bb5fd
--- /dev/null
+++ b/osm_ee/util/util_grpc.py
@@ -0,0 +1,26 @@
+import logging
+import ssl
+
+logger = logging.getLogger("osm_ee.util_grpc")
+
+SERVER_CERT = "/etc/ssl/grpc-tls/tls.crt"
+SERVER_KEY = "/etc/ssl/grpc-tls/tls.key"
+
+
+def create_secure_context() -> ssl.SSLContext:
+    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    # ctx.verify_mode = ssl.CERT_REQUIRED
+    try:
+        ctx.load_cert_chain(str(SERVER_CERT), str(SERVER_KEY))
+    except FileNotFoundError:
+        logger.warning("TLS Certificate not found, starting gRPC server in unsecure mode")
+        return None
+    # TODO: client TLS 
+    # ctx.load_verify_locations(str(trusted))
+    ctx.set_ciphers('ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20')
+    ctx.set_alpn_protocols(['h2'])
+    try:
+        ctx.set_npn_protocols(['h2'])
+    except NotImplementedError:
+        pass
+    return ctx
\ No newline at end of file