diff --git a/.secrets.baseline b/.secrets.baseline
index 7cb5eeda5..84b1a9a1a 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -155,7 +155,7 @@
         "filename": "fence/config-default.yaml",
         "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
         "is_verified": false,
-        "line_number": 31
+        "line_number": 32
       }
     ],
     "fence/local_settings.example.py": [
diff --git a/fence/config-default.yaml b/fence/config-default.yaml
index 6776d4455..3375eeeef 100755
--- a/fence/config-default.yaml
+++ b/fence/config-default.yaml
@@ -28,6 +28,7 @@ BASE_URL: 'http://localhost/user'
 # postgres db to connect to
 # connection url format:
 #     postgresql://[user[:password]@][netloc][:port][/dbname]
+# can also be set via env var DB
 DB: 'postgresql://test:test@localhost:5432/fence'
 
 # A URL-safe base64-encoded 32-byte key for encrypting keys in db
diff --git a/fence/config.py b/fence/config.py
index 32eed9575..ca149991d 100644
--- a/fence/config.py
+++ b/fence/config.py
@@ -49,6 +49,13 @@ def post_process(self):
         for default in defaults:
             self.force_default_if_none(default, default_cfg=default_config)
 
+        # allow setting DB connection string via env var
+        if os.environ.get("DB"):
+            logger.info("Found environment variable 'DB': overriding 'DB' field from config file")
+            self["DB"] = os.environ["DB"]
+        else:
+            logger.info("Environment variable 'DB' empty or not set: using 'DB' field from config file")
+
         if "ROOT_URL" not in self._configs and "BASE_URL" in self._configs:
             url = urllib.parse.urlparse(self._configs["BASE_URL"])
             self._configs["ROOT_URL"] = "{}://{}".format(url.scheme, url.netloc)