diff --git a/passbolt/passbolt.yaml b/passbolt/passbolt.yaml
index 826dde4..548c9d4 100644
--- a/passbolt/passbolt.yaml
+++ b/passbolt/passbolt.yaml
@@ -121,6 +121,11 @@ spec:
           env:
             - name: APP_FULL_BASE_URL
               value: "https://pb.roysland.net"
+            # Must match the server key on the gpg PVC (uid passbolt@yourdomain.com).
+            # Without it passbolt's config fingerprint mismatches the actual key and
+            # the GPG login handshake fails (web login loops back to the login page).
+            - name: PASSBOLT_GPG_SERVER_KEY_FINGERPRINT
+              value: "1471F6B122637CC7A95E63DCA214B492C0F7DF56"
             - name: DATASOURCES_DEFAULT_HOST
               value: "mariadb"
             - name: DATASOURCES_DEFAULT_PORT
@@ -140,8 +145,12 @@ spec:
                 secretKeyRef:
                   name: passbolt-secrets
                   key: DATASOURCES_DEFAULT_DATABASE
+            # TLS is terminated by Traefik, which forwards plain HTTP to :80.
+            # The container must NOT force its own HTTP->HTTPS redirect or it
+            # creates an infinite redirect loop. APP_FULL_BASE_URL stays https
+            # so generated links remain https.
             - name: PASSBOLT_SSL_FORCE
-              value: "true"
+              value: "false"
           ports:
             - containerPort: 80
             - containerPort: 443
@@ -170,6 +179,16 @@ spec:
     - port: 80
       targetPort: 80
 ---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: https-redirect
+  namespace: passbolt
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -177,6 +196,8 @@ metadata:
   namespace: passbolt
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
+    # Force HTTP->HTTPS at Traefik (proxy-level, no app redirect loop).
+    traefik.ingress.kubernetes.io/router.middlewares: passbolt-https-redirect@kubernetescrd
 spec:
   ingressClassName: traefik
   tls: