diff --git a/.env b/.env
index 39be639d..f6e7f89a 100644
--- a/.env
+++ b/.env
@@ -1,4 +1,5 @@
 POSTGRES_HOST=127.0.0.1
+POSTGRES_SSL=
 HMAC_SECRET_ADMIN=xxxxxxx
 NSQD_HTTP_PORT=4151
 SHLVL=1
diff --git a/src/_db/commands/up/pg.ts b/src/_db/commands/up/pg.ts
index 1a7a659e..c39ba85a 100644
--- a/src/_db/commands/up/pg.ts
+++ b/src/_db/commands/up/pg.ts
@@ -37,7 +37,9 @@ export const handler = async (argv) => {
   try {
     const postgrator = (await import("postgrator")).default;
     logger.child({ up: "pg", schemaPath: argv.schemaPath }).info("beginning handler");
-    const cs = `tcp://${argv.postgresUser}:${argv.postgresPassword}@${argv.postgresHost}:${argv.postgresPort}/${argv.postgresDatabase}`;
+    const cs = `tcp://${argv.postgresUser}:${argv.postgresPassword}@${argv.postgresHost}:${
+      argv.postgresPort
+    }/${argv.postgresDatabase}${argv.postgresSsl ? "?sslmode=require" : ""}`;
     const client = new pg.Client(cs);
     // Establish a database connection
     await client.connect();
diff --git a/src/config.ts b/src/config.ts
index 49ecd6e8..14694073 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -10,6 +10,7 @@ export default {
   EXPORT_PAGE_SIZE_INTERNAL: process.env.EXPORT_PAGE_SIZE_INTERNAL || env.EXPORT_PAGE_SIZE_INTERNAL || 10000,
   POSTGRES_PASSWORD: process.env.POSTGRES_PASSWORD || env.POSTGRES_PASSWORD,
   POSTGRES_POOL_SIZE: process.env.POSTGRES_POOL_SIZE || env.POSTGRES_POOL_SIZE || 20,
+  POSTGRES_SSL: process.env.POSTGRES_SSL || env.POSTGRES_SSL,
   HMAC_SECRET_VIEWER: process.env.HMAC_SECRET_VIEWER || env.HMAC_SECRET_VIEWER,
   POSTGRES_PORT: process.env.POSTGRES_PORT || env.POSTGRES_PORT,
   API_BASE_URL_PATH: process.env.API_BASE_URL_PATH || env.API_BASE_URL_PATH,
diff --git a/src/persistence/pg.ts b/src/persistence/pg.ts
index 1b3c7125..f791c9c8 100644
--- a/src/persistence/pg.ts
+++ b/src/persistence/pg.ts
@@ -15,6 +15,7 @@ export default function getPgPool(): pg.Pool {
       host: config.POSTGRES_HOST,
       port: Number(config.POSTGRES_PORT),
       max: Number(config.POSTGRES_POOL_SIZE) || 20,
+      ssl: config.POSTGRES_SSL || false,
       idleTimeoutMillis: Number(config.PUBLISHER_CREATE_EVENT_TIMEOUT) || 2000, // how long a client is allowed to remain idle before being closed
     });