diff --git a/ansible/inventory/group_vars/desktop.yml b/ansible/inventory/group_vars/desktop.yml
index d43c891..37c7674 100644
--- a/ansible/inventory/group_vars/desktop.yml
+++ b/ansible/inventory/group_vars/desktop.yml
@@ -29,6 +29,10 @@ profile_packages:
   - network-manager-applet
   - chromium
   - emacs-gtk3
+  - mu4e
+  - isync
+  - msmtp
+  - libsecret
   - libtool
   - libvterm-devel
   - cmake
@@ -120,6 +124,14 @@ desktop_dotfiles:
     src: .themes.gitignore
     dest: .themes.gitignore
     mode: "0644"
+  - name: .mbsyncrc
+    src: .mbsyncrc
+    dest: .mbsyncrc
+    mode: "0600"
+  - name: .msmtprc
+    src: .msmtprc
+    dest: .msmtprc
+    mode: "0600"
   - name: Emacs config
     src: .emacs.d/
     dest: .emacs.d/
diff --git a/ansible/roles/profile_desktop_i3/tasks/main.yml b/ansible/roles/profile_desktop_i3/tasks/main.yml
index b810da2..fd37be6 100644
--- a/ansible/roles/profile_desktop_i3/tasks/main.yml
+++ b/ansible/roles/profile_desktop_i3/tasks/main.yml
@@ -63,6 +63,15 @@
     group: "{{ user_group }}"
     mode: "0600"
 
+- name: Store iCloud mail password in GNOME Keyring
+  ansible.builtin.command:
+    cmd: secret-tool store --label="iCloud Mail" icloud-mail icloud
+    stdin: "{{ vault_icloud_mail_password }}"
+    stdin_add_newline: false
+  become: false
+  no_log: true
+  when: (vault_icloud_mail_password | default('')) | length > 0
+
 - name: Ensure local source directory exists
   ansible.builtin.file:
     path: "{{ user_home }}/.local/src"
diff --git a/ansible/site.yml b/ansible/site.yml
index 7c102c6..448f7e5 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -7,6 +7,11 @@
 
 - hosts: void
   become: true
+  pre_tasks:
+    - name: Load local vault variables when available
+      ansible.builtin.include_vars:
+        file: "{{ playbook_dir }}/../secrets/vault.yml"
+      when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.yml', errors='ignore') != ''
 
   roles:
     - packages_void
diff --git a/scripts/update_protonmail_bridge_secret.sh b/scripts/update_protonmail_bridge_secret.sh
new file mode 100755
index 0000000..a08bc60
--- /dev/null
+++ b/scripts/update_protonmail_bridge_secret.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+
+set -eu
+
+printf "Proton Bridge password: "
+stty -echo
+IFS= read -r proton_bridge_password
+stty echo
+printf "\n"
+
+if [ -z "$proton_bridge_password" ]; then
+  printf "Error: empty password, nothing stored.\n" >&2
+  exit 1
+fi
+
+printf "%s" "$proton_bridge_password" \
+  | secret-tool store --label="ProtonMail Bridge" protonmail-bridge protonmail
+
+printf "ProtonMail Bridge secret updated in GNOME Keyring.\n"
diff --git a/secrets/.gitignore b/secrets/.gitignore
new file mode 100644
index 0000000..e045166
--- /dev/null
+++ b/secrets/.gitignore
@@ -0,0 +1,2 @@
+.vault_pass
+.vault_pass*
diff --git a/secrets/.gitkeep b/secrets/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/secrets/vault.yml b/secrets/vault.yml
new file mode 100644
index 0000000..e8a8305
--- /dev/null
+++ b/secrets/vault.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+35326663666435356232666461316532653434653734613832646461666566373762613863653630
+6661663665613230343037313762643662663339383339320a366562326231663637643639633431
+62663231386339343033633662363531623931386239343532636530353735623233396238613666
+3330653433356539320a353930626335663331333433386139393538343232636161396464306632
+66336530366531656261316634663265363731666638323863313762373766303839363463633835
+66653733373961636165393462376561666531343230626338333333373663613133633937336539
+353632303535393564636232626135313630
diff --git a/secrets/vault.yml.example b/secrets/vault.yml.example
new file mode 100644
index 0000000..e071e94
--- /dev/null
+++ b/secrets/vault.yml.example
@@ -0,0 +1,2 @@
+---
+vault_icloud_mail_password: "REPLACE_ME"