diff --git a/clusters/cl01tl/manifests/garage/ExternalSecret-garage-db-backup-secret-remote.yaml b/clusters/cl01tl/manifests/garage/ExternalSecret-garage-db-backup-secret-remote.yaml
new file mode 100644
index 000000000..6d17daac6
--- /dev/null
+++ b/clusters/cl01tl/manifests/garage/ExternalSecret-garage-db-backup-secret-remote.yaml
@@ -0,0 +1,51 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: garage-db-backup-secret-remote
+  namespace: garage
+spec:
+  data:
+    - remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-remote
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+      secretKey: BUCKET_ENDPOINT
+    - remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-remote
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+      secretKey: RESTIC_PASSWORD
+    - remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_REGION
+      secretKey: AWS_DEFAULT_REGION
+    - remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+      secretKey: AWS_ACCESS_KEY_ID
+    - remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+      secretKey: AWS_SECRET_ACCESS_KEY
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      data:
+        RESTIC_REPOSITORY: '/garage/garage-db'
+      engineVersion: v2
+      mergePolicy: Merge