diff --git a/bridgehead b/bridgehead
index ef6bd8b..9a5b1fa 100755
--- a/bridgehead
+++ b/bridgehead
@@ -46,6 +46,7 @@ source /etc/bridgehead/site.conf
 case "$ACTION" in
 	start)
 		checkRequirements
+		fetchVarsFromVault /etc/bridgehead/site.conf /etc/bridgehead/$PROJECT.env || exit 1
 		exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.env up
 		;;
 	stop)
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 73e3910..612818a 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -79,11 +79,7 @@ services:
       APP_BROKER_AUTHTOKEN: ${CCP_SEARCHBROKER_PASSWORD}
       APP_STORE_BASEURL: "http://bridgehead-ccp-blaze:8080/fhir"
       SPRING_DATASOURCE_URL: "jdbc:postgresql://bridgehead-ccp-share-db:5432/dktk-fed-search-share"
-      JAVA_TOOL_OPTIONS: "-Xmx1g"
-      http_proxy: "http://bridgehead-forward-proxy:3128"
-      https_proxy: "http://bridgehead-forward-proxy:3128"
-      HTTP_PROXY: "http://bridgehead-forward-proxy:3128"
-      HTTPS_PROXY: "http://bridgehead-forward-proxy:3128"
+      JAVA_TOOL_OPTIONS: -Xmx1g -Dhttp.proxyHost=bridgehead-forward-proxy -Dhttp.proxyPort=3128 -Dhttps.proxyHost=bridgehead-forward-proxy -Dhttps.proxyPort=3128 -Dhttp.noProxyHosts="bridgehead-*"
     depends_on:
     - ccp-search-share-db
     - blaze
diff --git a/lib/functions.sh b/lib/functions.sh
index 03def34..b313b0e 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -23,3 +23,43 @@ checkRequirements() {
 		return 0
 	fi
 }
+
+fetchVarsFromVault() {
+	VARS_TO_FETCH=""
+
+	for line in $(cat $@); do
+		if [[ $line =~ .*=\<VAULT\>.* ]]; then
+			VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
+		fi
+	done
+
+	if [ -z "$VARS_TO_FETCH" ]; then
+		return 0
+	fi
+
+	log INFO "Fetching secrets from vault ..."
+
+	[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
+
+	if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
+		log ERROR "Please supply correct credentials in /etc/bridgehead/vault.conf."
+		return 1
+	fi
+
+	set +e
+
+	PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
+	RET=$?
+
+	if [ $RET -ne 0 ]; then
+		echo "Code: $RET"
+		echo $PASS
+		return $RET
+	fi
+
+	eval $(echo -e "$PASS" | sed 's/\r//g')
+
+	set -e
+
+	return 0
+}
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index f8b342a..8deaf67 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -69,6 +69,13 @@ if [ ! -e "certs/traefik.crt" ]; then
   openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
 fi
 
+if [ -e /etc/bridgehead/vault.conf ]; then
+	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
+		log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
+		exit 1
+	fi
+fi
+
 log INFO "Success - all prerequisites are met!"
 
 exit 0