diff --git a/.env b/.env
index 999bf60..9103096 100644
--- a/.env
+++ b/.env
@@ -6,8 +6,8 @@ POSTGRES_PASSWORD="password123"
 POSTGRES_USER="postgres"
 POSTGRES_DB="postgres"
 
-SMTP_HOST=
-SMTP_USER=
-SMTP_PASSWORD=
-SMTP_PORT=
-FROM_ADDRESS=
+SMTP_HOST=""
+SMTP_USER=""
+SMTP_PASSWORD=""
+SMTP_PORT=""
+FROM_ADDRESS=""
diff --git a/.gitignore b/.gitignore
index 794bbc7..c82a594 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,4 +4,9 @@
 .vscode/
 
 # jetbrains
-.idea/
\ No newline at end of file
+.idea/
+
+# certs
+*.crt
+*.key
+*.csr
diff --git a/docker-compose.yml b/docker-compose.yml
index 444cbcc..eb151b3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,18 +8,27 @@ services:
     restart: always
     volumes:
       - data:/var/lib/postgresql/data
+      - ./postgresql.conf:/etc/postgresql/config/postgresql.conf:ro
+      - ./tls/certs/root.crt:/etc/postgres/security/root.crt:ro
+      - ./tls/certs/server.crt:/etc/postgres/security/server.crt:ro
+      - ./tls/certs/server.key:/etc/postgres/security/server.key:ro
+    command: -c config_file=/etc/postgresql/config/postgresql.conf
     env_file: .env.local
 
   otel-collector:
     image: otel/opentelemetry-collector-contrib
     volumes:
-      - ./otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml
+      - ./otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml:ro
 
   server:
     build:
       context: ./server
       dockerfile: Dockerfile
     restart: always
+    volumes:
+      - ./tls/certs/client.crt:/client.crt:ro
+      - ./tls/certs/client.key:/client.key:ro
+      - ./tls/certs/root.crt:/root.crt:ro
     env_file: .env.local
     ports:
       - 8080:8080
diff --git a/gen_certs.sh b/gen_certs.sh
new file mode 100755
index 0000000..2838480
--- /dev/null
+++ b/gen_certs.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+(
+  cd ./tls/certs
+
+  # root certs
+  echo "Generating root certificates..."
+  openssl genrsa -out root.key 4096
+  openssl req -new -x509 -days 365 -subj "/CN=pepp" \
+      -key root.key -out root.crt -config ../config/root.conf
+  
+  # server certs
+  echo "Generating server certificates..."
+  openssl genrsa -out server.key 4096
+  openssl req -new -key server.key -subj "/CN=postgres" \
+      -config ../config/server_client.conf -extensions req_ext -out server.csr
+  openssl x509 -req -in server.csr -days 365 \
+      -CA root.crt -CAkey root.key -CAcreateserial -out server.crt \
+      -extfile ../config/server_client.conf -extensions req_ext
+  
+  echo "Setting correct server.key ownership."
+  sudo chmod 600 server.key
+  sudo chown 70:70 server.key
+  
+  # client certs
+  echo "Generating client certificates..."
+  openssl genrsa -out client.key 4096
+  openssl req -new -key client.key -subj "/CN=client" \
+      -config ../config/server_client.conf -extensions req_ext -out client.csr
+  openssl x509 -req -in client.csr -days 365 \
+      -CA root.crt -CAkey root.key -CAcreateserial -out client.crt \
+      -extfile ../config/server_client.conf -extensions req_ext
+
+  echo "Successfully created all certificates!"
+  echo
+)
+
+echo "You can now start the application"
+echo
+echo "  docker compose up -d && docker compose logs -f"
diff --git a/postgresql.conf b/postgresql.conf
new file mode 100644
index 0000000..617210f
--- /dev/null
+++ b/postgresql.conf
@@ -0,0 +1,6 @@
+ssl = on
+ssl_ca_file = '/etc/postgres/security/root.crt'
+ssl_cert_file = '/etc/postgres/security/server.crt'
+ssl_key_file = '/etc/postgres/security/server.key'
+password_encryption = scram-sha-256
+listen_addresses = '*'
diff --git a/server/db/init.go b/server/db/init.go
index 552d61d..8fdf310 100644
--- a/server/db/init.go
+++ b/server/db/init.go
@@ -7,21 +7,19 @@ import (
 	"os"
 
 	"github.com/FachschaftMathPhysInfo/pepp/server/models"
+	_ "github.com/lib/pq"
+	log "github.com/sirupsen/logrus"
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bun/dialect/pgdialect"
-	"github.com/uptrace/bun/driver/pgdriver"
 	"github.com/uptrace/bun/extra/bunotel"
 	"go.opentelemetry.io/otel/sdk/trace"
 )
 
 func Init(ctx context.Context, tracer *trace.TracerProvider) (*bun.DB, *sql.DB, error) {
-	db_user := os.Getenv("POSTGRES_USER")
-	db_pw := os.Getenv("POSTGRES_PASSWORD")
-	db_db := os.Getenv("POSTGRES_DB")
-	dsn := fmt.Sprintf("postgres://%s:%s@postgres:5432/%s?sslmode=disable",
-		db_user, db_pw, db_db)
-
-	sqldb := sql.OpenDB(pgdriver.NewConnector(pgdriver.WithDSN(dsn)))
+	sqldb, err := connectTCPSocket()
+	if err != nil {
+		return nil, nil, err
+	}
 
 	db := bun.NewDB(sqldb, pgdialect.New())
 
@@ -80,3 +78,32 @@ func createTables(ctx context.Context, db *bun.DB, tables []interface{}) error {
 
 	return nil
 }
+
+func connectTCPSocket() (*sql.DB, error) {
+	mustGetenv := func(k string) string {
+		v := os.Getenv(k)
+		if v == "" {
+			log.Fatalf("Fatal Error in init.go: %s environment variable not set.", k)
+		}
+		return v
+	}
+
+	var (
+		dbUser = mustGetenv("POSTGRES_USER")
+		dbPwd  = mustGetenv("POSTGRES_PASSWORD")
+		dbName = mustGetenv("POSTGRES_DB")
+	)
+
+	dbURI := fmt.Sprintf("host=postgres user=%s password=%s database=%s sslmode=verify-full sslrootcert=root.crt sslcert=client.crt sslkey=client.key",
+		dbUser, dbPwd, dbName)
+
+	dbPool, err := sql.Open("postgres", dbURI)
+	if err != nil {
+		return nil, fmt.Errorf("sql.Open: %w", err)
+	}
+	if err = dbPool.Ping(); err != nil {
+		log.Fatal("DB unreachable:", err)
+	}
+
+	return dbPool, nil
+}
diff --git a/server/db/seed.go b/server/db/seed.go
index 936af8d..b5b5f0f 100644
--- a/server/db/seed.go
+++ b/server/db/seed.go
@@ -3,11 +3,11 @@ package db
 import (
 	"context"
 	"fmt"
-	"log"
 	"strconv"
 	"time"
 
 	"github.com/FachschaftMathPhysInfo/pepp/server/models"
+	log "github.com/sirupsen/logrus"
 	"github.com/uptrace/bun"
 )
 
diff --git a/server/go.mod b/server/go.mod
index a003708..3eee147 100644
--- a/server/go.mod
+++ b/server/go.mod
@@ -6,14 +6,15 @@ require (
 	github.com/99designs/gqlgen v0.17.49
 	github.com/arran4/golang-ical v0.3.1
 	github.com/go-chi/chi/v5 v5.1.0
+	github.com/lib/pq v1.10.9
 	github.com/matcornic/hermes/v2 v2.1.0
 	github.com/ravilushqa/otelgqlgen v0.16.0
 	github.com/riandyrn/otelchi v0.9.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/rs/cors v1.11.0
+	github.com/sirupsen/logrus v1.9.3
 	github.com/uptrace/bun v1.2.1
 	github.com/uptrace/bun/dialect/pgdialect v1.2.1
-	github.com/uptrace/bun/driver/pgdriver v1.2.1
 	github.com/uptrace/bun/extra/bunotel v1.2.1
 	github.com/vektah/gqlparser/v2 v2.5.16
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0
@@ -79,5 +80,4 @@ require (
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	mellium.im/sasl v0.3.1 // indirect
 )
diff --git a/server/go.sum b/server/go.sum
index 8bc1ac3..11dda08 100644
--- a/server/go.sum
+++ b/server/go.sum
@@ -77,6 +77,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/matcornic/hermes/v2 v2.1.0 h1:9TDYFBPFv6mcXanaDmRDEp/RTWj0dTTi+LpFnnnfNWc=
 github.com/matcornic/hermes/v2 v2.1.0/go.mod h1:2+ziJeoyRfaLiATIL8VZ7f9hpzH4oDHqTmn0bhrsgVI=
 github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
@@ -114,6 +116,8 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sosodev/duration v1.3.1 h1:qtHBDMQ6lvMQsL15g4aopM4HEfOaYuhWBw3NPTtlqq4=
 github.com/sosodev/duration v1.3.1/go.mod h1:RQIBBX0+fMLc/D9+Jb/fwvVmo0eZvDDEERAikUR6SDg=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
@@ -131,8 +135,6 @@ github.com/uptrace/bun v1.2.1 h1:2ENAcfeCfaY5+2e7z5pXrzFKy3vS8VXvkCag6N2Yzfk=
 github.com/uptrace/bun v1.2.1/go.mod h1:cNg+pWBUMmJ8rHnETgf65CEvn3aIKErrwOD6IA8e+Ec=
 github.com/uptrace/bun/dialect/pgdialect v1.2.1 h1:ceP99r03u+s8ylaDE/RzgcajwGiC76Jz3nS2ZgyPQ4M=
 github.com/uptrace/bun/dialect/pgdialect v1.2.1/go.mod h1:mv6B12cisvSc6bwKm9q9wcrr26awkZK8QXM+nso9n2U=
-github.com/uptrace/bun/driver/pgdriver v1.2.1 h1:Cp6c1tKzbTIyL8o0cGT6cOhTsmQZdsUNhgcV51dsmLU=
-github.com/uptrace/bun/driver/pgdriver v1.2.1/go.mod h1:jEd3WGx74hWLat3/IkesOoWNjrFNUDADK3nkyOFOOJM=
 github.com/uptrace/bun/extra/bunotel v1.2.1 h1:5oTy3Jh7Q1bhCd5vnPszBmJgYouw+PuuZ8iSCm+uNCQ=
 github.com/uptrace/bun/extra/bunotel v1.2.1/go.mod h1:SWW3HyjiXPYM36q0QSpdtTP8v21nWHnTCxu4lYkpO90=
 github.com/uptrace/opentelemetry-go-extra/otelsql v0.2.4 h1:x3omFAG2XkvWFg1hvXRinY2ExAL1Aacl7W9ZlYjo6gc=
@@ -208,6 +210,7 @@ golang.org/x/sys v0.0.0-20190225065934-cc5685c2db12/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -262,5 +265,3 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-mellium.im/sasl v0.3.1 h1:wE0LW6g7U83vhvxjC1IY8DnXM+EU095yeo8XClvCdfo=
-mellium.im/sasl v0.3.1/go.mod h1:xm59PUYpZHhgQ9ZqoJ5QaCqzWMi8IeS49dhp6plPCzw=
diff --git a/server/server.go b/server/server.go
index 86b4066..28f1030 100644
--- a/server/server.go
+++ b/server/server.go
@@ -2,7 +2,6 @@ package main
 
 import (
 	"context"
-	"log"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -22,6 +21,7 @@ import (
 	"github.com/riandyrn/otelchi"
 	"github.com/robfig/cron/v3"
 	"github.com/rs/cors"
+	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -66,11 +66,11 @@ func main() {
 		hourlyTracer := maintenanceTracer.Tracer("hourly")
 
 		if err := maintenance.DeleteUnconfirmedPeople(ctx, &resolver, hourlyTracer); err != nil {
-			log.Println("Error deleting unconfirmed people:", err)
+			log.Error("Error deleting unconfirmed people:", err)
 		}
 
 		if err := maintenance.CleanSessionIds(ctx, &resolver, hourlyTracer); err != nil {
-			log.Println("Error cleaning session ids:", err)
+			log.Error("Error cleaning session ids:", err)
 		}
 	})
 	c.Start()
diff --git a/server/tracing/init.go b/server/tracing/init.go
index 0734040..f706a75 100644
--- a/server/tracing/init.go
+++ b/server/tracing/init.go
@@ -2,9 +2,9 @@ package tracing
 
 import (
 	"context"
-	"fmt"
 	"time"
 
+	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
 	"go.opentelemetry.io/otel/sdk/resource"
@@ -28,7 +28,7 @@ func InitTracing(serviceName string) *sdktrace.TracerProvider {
 		ctx,
 		otlptracegrpc.WithGRPCConn(collectorConn))
 	if err != nil {
-		fmt.Println("failed to create exporter", err)
+		log.Error("failed to create exporter", err)
 	}
 
 	res, err := resource.New(
@@ -39,7 +39,7 @@ func InitTracing(serviceName string) *sdktrace.TracerProvider {
 		resource.WithHost(),
 		resource.WithOSType())
 	if err != nil {
-		fmt.Print("resource creation failed", err)
+		log.Error("resource creation failed", err)
 	}
 
 	tp := sdktrace.NewTracerProvider(
@@ -60,6 +60,6 @@ func mustConnGRPC(ctx context.Context, conn **grpc.ClientConn, addr string) {
 		grpc.WithStatsHandler(otelgrpc.NewClientHandler()))
 
 	if err != nil {
-		panic(fmt.Sprintf("grpc: failed to connect %s", addr))
+		log.Fatal("grpc: failed to connect %s", addr)
 	}
 }
diff --git a/tls/certs/.placeholder b/tls/certs/.placeholder
new file mode 100644
index 0000000..e69de29
diff --git a/tls/certs/root.srl b/tls/certs/root.srl
new file mode 100644
index 0000000..3be6703
--- /dev/null
+++ b/tls/certs/root.srl
@@ -0,0 +1 @@
+5CBC3B5D5E557F0ABB2A981CD276AF89164931B3
diff --git a/tls/config/root.conf b/tls/config/root.conf
new file mode 100644
index 0000000..2d30400
--- /dev/null
+++ b/tls/config/root.conf
@@ -0,0 +1,12 @@
+[ req ]
+default_bits       = 4096
+distinguished_name = req_distinguished_name
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+organizationName            = Fachschaft MathPhysInfo
+commonName                  = pepp
+commonName_max              = 64
+
+[ v3_ca ]
+basicConstraints = CA:true
diff --git a/tls/config/server_client.conf b/tls/config/server_client.conf
new file mode 100644
index 0000000..aac01ab
--- /dev/null
+++ b/tls/config/server_client.conf
@@ -0,0 +1,15 @@
+[ req ]
+default_bits       = 4096
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+
+[ req_distinguished_name ]
+commonName                  = pepp
+commonName_max              = 64
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = postgres
+IP.1 = 127.0.0.1